Initial Publication Date: Advisory Status: Advisory Severity: Legacy ID
3 Jul 2002 Closed Low
Symantec Enterprise Firewall uses a stripped-down version of the Apache HTTP Web Server as an integral part of the Out-of-Band Authentication (OOBA) mechanism. On June 17, 2002, CERT reported a remotely exploitable vulnerability in the way that Apache Web servers (or other Web servers based on Apache source code) handle data encoded in chunks. While investigating the impact of this issue, Symantec engineers discovered that, if enabled, the Symantec Enterprise Firewall OOBA service could be susceptible to a denial of service (DoS) attack.
OOBA uses an Apache HTTP Web Server to facilitate user authentication to the firewall. If the Apache Web server on the firewall is attacked with a chunk-encoding buffer overflow attack, the HTTP server will abort. As a result, the firewall will restart the service. Because restarting the service consumes system resources, a continuous attack on the service will put unnecessary stress on the firewall that could affect system availability to legitimate users. The impact of such an attack would result only in a DoS.
OOBA allows security administrators to define user-based policies for protocols that do not inherently support authentication. For example, using OOBA you can create a rule that allows inbound ICMP (Ping) connections for the security administrator. To enable the connection, the administrator connects to a hardened Apache server running on the firewall and authenticates to the firewall using a Web browser. Once authenticated, the firewall allows connection requests associated with that user session.
The Apache HTTP Web Server used by the firewall OOBA service can be susceptible to a denial of service attack using the recently discovered chunk-encoding stack overflow. For a more detailed description of this issue please read the following Symantec Security Response Advisory or CERT Advisory CA-2002-17.
The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0392 to the Apache Chunk-Encoded HTTP request Buffer Overflow.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems
By default, OOBA is disabled out-of-the-box on all firewall installations and the Apache HTTP Web Server is not started. If your security policy does not require user-authentication for protocols that do not inherently support in-band authentication, do not enable OOBA. No further action is necessary.
If, however, you enable the OOBA service for out-of-band authentication, the Apache HTTP Web Server will be running on the firewall. If this is the case, Symantec recommends that you install the latest OOBA security hotfix that is available through the Symantec Enterprise Support site.
Symantec takes any product issue seriously. If you require the OOBA service as a part of the functionality of your network, ensure that you install the recommended hotfix.
As a best practice, Symantec recommends keeping all operating systems and applications updated with the latest vendor patches. Keeping mission-critical systems updated with all security patches applied reduces risk exposure
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.