Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Popular firewall vulnerable to denial-of-service attacks
- From: Paul Howell
- Date: Thu Jun 08 06:49:43 2000
At http://www.computerworld.com/home/print.nsf/all/000607E692
Popular firewall vulnerable to denial-of-service attacks
By Ann Harrison
06/07/2000 A security researcher has discovered a flaw in a
popular firewall that he says makes the tool vulnerable
to denial-of-service attacks. The FireWall-1 product,
developed by Checkpoint Software Technologies Ltd. in
Redwood City, Calif., can apparently be disabled by
bombarding the tool with incomplete fragments of data
packets.
Lance Spitzner, a member of the Global Enterprise
Security Team at Sun Microsystems Inc. in Palo Alto,
Calif., said he discovered the flaw on May 27 while
attempting to understand how FireWall-1 handles IP
fragmentation. Spitzner notified Checkpoint, which has
developed a short-term solution and is working on a
long-term fix for the problem.
Spitzner's research findings can be found at
http:///www.enteract.com/~lspitz/fwtable.html.
Greg Smith, director of product marketing at Checkpoint,
said the company has developed a workaround solution
for the firewall, which protects a network from
denial-of-service attacks. The workaround is available at
the company's Web site. He said a permanent fix for
the problem will be included in the next release of the
next service pack for FireWall-1 later this month.
No Checkpoint customers have reported being the target
of a denial-of-service attack as result of the
vulnerability, Smith noted. He downplayed the impact of
potential exploits. "There is no potential for
unauthorized access, no breach of security," said Smith.
"This is just denial of service."
Spitzner said he believes that every installation of
FireWall-1 is vulnerable, regardless of the type of
operating system or the version or patch level of the
installation. But he noted in his research paper that his
work was only tested with Checkpoint FireWall-1
Version 4.1 on Solaris x86 2.7.
According to Spitzner, the attack works because
FireWall-1 doesn't inspect or log fragmented packets
until those packets have first been completely
reassembled. Since packets used in the attack are never
fully assembled, FireWall-1 doesn't inspect or log the
fragments on firewall logs, preventing the tool's rule
base from protecting against the attack. Spitzner added
that there are a number of packet-fragment attack
strategies that use incomplete or illegal fragments,
including an attack program known as jolt2 that sends a
particular string of packet fragments.
"Not only will the firewall be taken out, but it is difficult
to determine why," wrote Spitzner in his advisory. He
added that illegally fragmented packets, such as those
generated by jolt2, may be logged by Unix systems to
/var/adm/messages.
When FireWall-1 is attacked in this fashion, Spitzner
noted, the CPU registers 100% utilization and locks up.
Some systems may also crash. Spitzner noted that the
CPU drain is likely the result of the application
attempting to reassemble hundred or thousands of
incomplete and illegally fragmented packets.
Spitzner pointed out that the firewall doesn't have to be
attacked directly. If fragments are routed through the
firewall for a system behind the firewall, the attack will
still disable FireWall-1.
Ryan Russell, MIS manager at San Mateo-based security
portal SecurityFocus.com, noted that other firewalls may
have the same problem and vulnerability. "We are
finding that a lot of platforms are vulnerable to jolt2,"
said Russell. "Everybody has a copy who wants it." The
jolt2 program was released several weeks ago.
Russell said the attack can pinpoint IP addresses of
targeted machines and doesn't need a fat Internet pipe
to overwhelm servers with a flood of packets. He said
the jolt2 tool originally affected Windows machines, but
some machines running Linux and BSD operating
systems are also vulnerable. "The firewall is going to
ride on top of those, so until you get the underlying IP
stack fixed by some firewall vendors, you are going to
have issues there," said Russell.
Version 4.1 of FireWall-1, which was released in August
last year, offers an interface for managing one or
multiple firewalls across a corporate network.
According to Spitzner, CheckPoint's short-term solution
is based on the observation that a percentage of CPU
utilization is due to console error messages on some
Unix systems. By disabling FireWall-1 kernel logging,
some CPU utilization will be saved, he wrote. But he
noted that this solution disables all FireWall-1 kernel
logging.
Users of the firewall tool are also advised to make sure
that their operating system has the latest patches.
Spitzner noted that a number of operating systems have
recently released patches that help protect against
fragment attacks.
Spitzner also noted that users can run an
intrusion-detection module such as snort, an
open-source program available at snort.org, which can
be configured to watch for jolt2-style packets. Russell
said the tool is useful to diagnose problems when the
firewall begins running slowly or starts to crash. "If you
put it in front or behind the firewall, whatever direction
the attack is coming from, you at least know what is
going on," said Russell.
When users detect fragment attacks, they can block
their source address at the router. However, Spitzner
advises that this method may not work with packets
with spoofed source addresses.
Spitzner said Checkpoint is developing a long-term
solution that will be distributed as part of a later
service pack. Spitzner added that this fix wasn't
available for testing when he released his research
data.
|
