Multiple Symantec Firewall Secure Webserver Timeout DoS
15 Oct. 2002
Summary
There exists a problem in "Simple, secure webserver 1.1" that is shipped with numerous Symantec firewalls, the vulnerabilities allows a remote attacker to cause the webserver/proxy to stall new incoming requests, effectively causing a denial of service attack against the product.
An attacker can connect to the proxy server from the outside, and issue a HTTP-style CONNECT to a domain with a missing, or flawed DNS-server. This will cause the "Simple, secure webserver 1.1" to wait for a timeout while it tries to contact the DNS server, and while doing so the software does not fork and thereby queues or drops all new requests coming from other clients. The timeout usually last up to 300 seconds. Sending subsequent requests for other hostnames in the same flawed domain will force the "Simple, secure webserver 1.1" to stop processing requests for a long time.
The exploit works regardless if the domain name in question is allowed or not in the ACL.
Workarounds:
Apply official patch from Symantec.
Solutions:
Apply official patch from Symantec, or disable Simple, secure webserver.
Vendor status:
Symantec was contacted 22, August 2002. Symantec promptly tested and confirmed AI-SEC Security findings, and immediately started working on a patch for their customer base.
