SUMMARY

Symantec resolved three high-risk vulnerabilities that had been identified in the Symantec Firewall/VPN Appliance 100, 200 and 200R models. The Symantec Gateway Security 320, 360 and 360R are vulnerable to only two of the issues, which have been resolved. Additionally, legacy Nexland Firewall Appliances are affected by these issues.
All of these vulnerabilities are remotely exploitable and can allow an attacker to perform a denial of service attack against the firewall appliance, identify active services in the WAN interface, and exploit one of these services to collect and alter the firewall's configuration. All three vulnerabilities are addressed and resolved in available updated firmware release builds.

AFFECTED PRODUCTS

Affected Components
Symantec Firewall/VPN Appliance 100 (firmware builds prior to build 1.63)
Symantec Firewall/VPN Appliance 200/200R (firmware builds prior to build 1.63)
Symantec Gateway Security 320 (firmware builds prior to build 622)
Symantec Gateway Security 360/360R (firmware builds prior to build 622)
Nexland ISB SOHO Firewall Appliance(firmware builds prior to build 16U)
Nexland Pro100, Pro400 Firewall Appliances (firmware builds prior to build 16U)
Nexland Pro800, Pro800turbo Firewall Appliances (firmware builds prior to build 16U)
Nexland WaveBase Firewall Appliances (firmware builds prior to build 16U)

ISSUES

Details
Rigel Kent Security & Advisory Services notified Symantec of three high-risk vulnerabilities they identified in the Symantec Firewall/VPN Appliance during an assessment. Additional research also shows that the legacy Nexland Firewall Appliances, now supported by Symantec, are also affected. All vulnerabilities are remotely exploitable and could allow an attacker to perform a denial of service (DoS) attack against the firewall appliance, identify active services in the WAN interface, and exploit one of the identified services to collect and alter the firewall's configuration. The Symantec Firewall/VPN Appliances, models 100, 200 and 200R are vulnerable to all three issues. The Nexland ISB SOHO, Pro100, Pro400, Pro800, Pro800turbo and the Nexland WaveBase Firewall Appliances are vulnerable as well to all three reported issues. The Symantec Gateway Security models 320, 360 and 360R are not vulnerable to the Denial of Service issue but have been validated as being vulnerable to the other two issues.

CVE candidate numbers have been requested from The Common Vulnerabilities and Exposures (CVE) initiative. This advisory will be revised as required once CVE candidate numbers have been assigned. These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

MITIGATION

Symantec Response
Symantec confirmed the vulnerabilities mentioned above and coordinated extensively with Rigel Kent Security & Advisory Services to finalize and thoroughly test the fixes for Symantec's affected products.

Symantec has released firmware builds labeled 1.63 for Symantec Firewall/VPN Appliance models100, 200 and 200R. Symantec has also released firmware builds 622 for the Symantec Gateway Security Appliance models 320, 360 and 360R that fix the two issue impacting those products.

Symantec has released firmware build 16U for the Nexland Firewall Appliances that addresses these issues impacting the Nexland appliances.

NOTE: The Symantec Gateway Security 300 series appliances are not vulnerable to the DoS issue.

Symantec strongly recommends customers apply the appropriate firmware for their affected product models/versions immediately to protect against these types of threat.

Product specific firmware and hotfixes are available via the Symantec Enterprise Support site http://www.symantec.com/techsupp.

Symantec is not aware of any active attempts against or organizations impacted by this issue.

ACKNOWLEDGEMENTS

Symantec appreciates the actions of Mike Sues and the Rigel Kent Security & Advisory team in identifying these issues, notifying Symantec, and their extensive cooperation and coordination while Symantec worked to resolve all issues. Symantec also appreciates the efforts of Arthur Hagen, Broomstick.com, in working through Rigel Kent Security & Advisory to identify these issues in the Nexland Appliances.

REVISION

Revision History
12/28/2004 - Added vulnerability and fix information for the legacy Nexland Firewall Appliances prior to firmware release 16U, that are also affected by all three issues described in this advisory. Added update information for firmware build 16U to address the issues in the Nexland Firewall Appliances.