COMMAND

    Bordermanager

SYSTEMS AFFECTED

    Bordermanager 3.5

PROBLEM

    Roy  Sigurd  Karlsbakk  found  following.   In  a  recent security
    check/penetration  test  at  a  quite  large  customer in the Oslo
    area, he  was able  to bypass  the IP-filter  in BorderManager 3.5
    and ping any host behind it.   Although being able to solely  ping
    through isn't a huge problem, but Roy fears the security hole  can
    be dug larger.   The interface on "his"  side of the firewall  had
    one filter rule: "DENY ANY:ANY"

    After several traditional  TCP and UDP  scans, he found  no way to
    bypass it.   After that, he  tried fragmented SYN,  NUL, FIN, ACK,
    and Xmas-tree scans  resulting in some  strange error allowing  me
    to ping any hos behind the filter.  The problem disappeared  after
    a  unload/reload  of  IPFLT.NLM.   He  was  able  to reproduce the
    problem,  although  it  doesn't  seem  like  it  is dependant on a
    specific attack sequence.  The result was IPFLT.NLM (or  something
    related) eating  a huge  amount of  memory, thereby  chrashing the
    server.

    After the server  came up, Roy  managed to reproduce  this without
    chrashing the server.  He found  no real pattern in what to  do to
    break through - just stressing it enough seemed enough.  This  was
    tested on NetWare 5sp4 with BorderManager 3.5sp1.

SOLUTION

    Novell has released a patch towards the port 2000 DoS-like attack,
    but there is no info if this solves the leak problem.