SUMMARY

Symantec Enterprise Firewall uses a stripped-down version of the Apache HTTP Web Server as an integral part of the Out-of-Band Authentication (OOBA) mechanism. On June 17, 2002, CERT reported a remotely exploitable vulnerability in the way that Apache Web servers (or other Web servers based on Apache source code) handle data encoded in chunks. While investigating the impact of this issue, Symantec engineers discovered that, if enabled, the Symantec Enterprise Firewall OOBA service could be susceptible to a denial of service (DoS) attack.

OOBA uses an Apache HTTP Web Server to facilitate user authentication to the firewall. If the Apache Web server on the firewall is attacked with a chunk-encoding buffer overflow attack, the HTTP server will abort. As a result, the firewall will restart the service. Because restarting the service consumes system resources, a continuous attack on the service will put unnecessary stress on the firewall that could affect system availability to legitimate users. The impact of such an attack would result only in a DoS.

AFFECTED PRODUCTS

Components Affected
Raptor Firewall V6.5.3 (Solaris)
Raptor Firewall 6.5 (Windows NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor 1.0, 1.1, and 1.5
Symantec Gateway Security 1.0

ISSUES

Description
OOBA allows security administrators to define user-based policies for protocols that do not inherently support authentication. For example, using OOBA you can create a rule that allows inbound ICMP (Ping) connections for the security administrator. To enable the connection, the administrator connects to a hardened Apache server running on the firewall and authenticates to the firewall using a Web browser. Once authenticated, the firewall allows connection requests associated with that user session.

The Apache HTTP Web Server used by the firewall OOBA service can be susceptible to a denial of service attack using the recently discovered chunk-encoding stack overflow. For a more detailed description of this issue please read the following Symantec Security Response Advisory or CERT Advisory CA-2002-17.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0392 to the Apache Chunk-Encoded HTTP request Buffer Overflow.

This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems

MITIGATION

Symantec Response
By default, OOBA is disabled out-of-the-box on all firewall installations and the Apache HTTP Web Server is not started. If your security policy does not require user-authentication for protocols that do not inherently support in-band authentication, do not enable OOBA. No further action is necessary.

If, however, you enable the OOBA service for out-of-band authentication, the Apache HTTP Web Server will be running on the firewall. If this is the case, Symantec recommends that you install the latest OOBA security hotfix that is available through the Symantec Enterprise Support site.

Symantec takes any product issue seriously. If you require the OOBA service as a part of the functionality of your network, ensure that you install the recommended hotfix.

As a best practice, Symantec recommends keeping all operating systems and applications updated with the latest vendor patches. Keeping mission-critical systems updated with all security patches applied reduces risk exposure