![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
Date: Thu, 5 Apr 2001 07:25:14 +0200
From: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
Subject: def-2001-18: Watchguard Firebox II Kernel DoS
To: BUGTRAQ@SECURITYFOCUS.COM
======================================================================
Defcom Labs Advisory def-2001-18
Watchguard Firebox II Kernel DoS
Authors: Andreas Sandor <andreas.sandor@defcom.com>
Peter Gründl <peter.grundl@defcom.com>
Release Date: 2001-04-05
======================================================================
------------------------=[Brief Description]=-------------------------
This vulnerability makes it possible to force the Firebox into a
condition where it stops responding to packets of a certain protocol
after it has been sent large bursts of packets for that protocol.
------------------------=[Affected Systems]=--------------------------
Watchguard FireboxII
Versions
* All versions prior to 4.6
----------------------=[Detailed Description]=------------------------
The Linux-based kernel in the Watchguard Firebox has problems handling
certain types of malformed packets. If the firewall is subjected to a
burst of around 10.000 of these packets, it will cause a kernel fault
and either crash or reboot.
Both TCP and ICMP are affected by this and the burstrate needed to
achieve a kernel fault was about one megabit in our testlab, which
isn't that uncommon these days.
If the firewall manages to log the attack, the log file might look
something like this:
kernel: Unable to handle kernel paging request at virtual address c4000000
kernel: current->tss.cr3 = 03557000, %cr3 = 03557000
kernel: *pde = 00000000
kernel: Oops: 0000
kernel: CPU: 0
kernel: EIP: 0010:[<00186379>]
kernel: EFLAGS: 00010206
kernel: eax: 8c807bd9 ebx: 636f7270 ecx: 07f65441 edx: ffffffff
kernel: esi: 04000000 edi: 02ca8818 ebp: 02ca882c esp: 03be7f08
kernel: ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018
kernel: Process ifconfig (pid: 153, process nr: 6, stackpage=03be7000)
kernel: Stack: 00000013 03049b98 00153ad4 02ca8840 ffffffff 00000000
09002d0a 02ca8818
kernel: 0000002e 03be7f80 00000013 02ca8848 0013f845 00000002
0013f9b9 03be7f88
kernel: 001a3e54 00000000 02ca8848 0019ca48 0019ca48 002af018
00000000 00000000
kernel: Call Trace: [<00153ad4>] [<0013f845>] [<0013f9b9>] [<001389d0>]
[<001181f3>] [<0010a62f>]
kernel: Code: 8b 1e 11 d8 8b 5e 04 11 d8 8b 5e 08 11 d8 8b 5e 0c 11 d8 8b
kernel: Aiee, killing interrupt handler
But most of the time the firewall just crashes without any indication
of foul play in the log file. Even if the firewall crashes, some
network related tasks will still function.
---------------------------=[Workaround]=-----------------------------
Obtaining version 4.6 requires membership of LiveSecurity
http://www.watchguard.com/support
Information about LiveSecurity can be obtained from the vendor
http://www.watchguard.com
-------------------------=[Vendor Response]=--------------------------
The Vendor was contacted February 23rd, 2001 and an update was
released on March 24th, 2001.
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
======================================================================