COMMAND
FW-1
SYSTEMS AFFECTED
FW-1
PROBLEM
Lance Spitzner found following. He identified a major DoS attack
for FW-1. CPU mysteriously hits 100% utilization, system locks
up. Some systems may also crash, depending on OS type.
However, it seems that every installation of FW-1 is vulnerable,
regardless of Operating System type or version/patch level of the
FW-1 installation. However, this has only been tested and
confirmed with ver 4.1 SP1 on the Nokia, and ver 4.1 on NT and
Solarix x86 platform. This may also effect other firewalls based
on FW-1 code. If you are running a variant, check it to make sure
you don't have the same problem.
There is NO way to protect against it. Your rulebase cannot stop
this attack. If your rulebase is denying everything, you are
still vulnerable.
FW-1 does NOT log these attacks in the firewall logs. Not only
will the firewall will be taken out, but it is difficult to
determine why. Illegally fragmented packets (such as those
generated by jolt2) may be logged by Unix systems to
/var/adm/messages. For more info about jolt2 see:
http://oliver.erfi.hr/~crv/security/bugs/mUNIXes/tcpip27.html
Most frag based attacks that use incomplete or illegal fragments
will work, including jolt2. The firewall does not have to be
attacked directly, if the frags are routed through the firewall
for a system behind the firewall, FW-1 is still taken out.
FW-1 does not inspect, nor does it log, fragmented packets untill
the packet has first been completely reassembled. Since these
exploit packets are never fully assembled, they are never
inspected nor logged. Thus, the firewall's own rulebase cannot
be used to protect against the attack. For more information on
FW-1 IP Fragmentation reassembley, see
http://www.enteract.com/~lspitz/fwtable.html
The actual CPU utilization is most likely the result of the
application attempting to reassemble hundreds or thousands of
incomplete and illegally fragmented packets. As stated above,
the firewall rulebase cannot block these packets, as they are
never inspected.
Other firewalls may have the same problem and vulnerability.
SOLUTION
CheckPoint has developed a short term solution to the problem. A
percentage of CPU utilization is due to console error messages on
some Unix systems. By disabling FW-1 kernel logging, some CPU
utilization will be saved. However, all FW-1 kernel logging is
disabled, you will have no capability for logging any firewall
kernel events. At the command line on the Firewall, type as root:
fw ctl debug -buf
Ensure the operating system has the latest patches. Most
operating system have recently released patches that help protect
against fragment attacks.
Run an IDS module (such as snort). When you detect frag attacks
block the Src at the router (remember, the firewall CANNOT stop
the attack, its rulebase is powerless). However, this method may
not work with spoofed Src packets.
CheckPoint is developing a long term solution, which will be
distributed as part of a later Service Pack. However, this fix
was not available for testing at the time of this advisory.
IP Filter doesn't do any packet reconstruction for fragmentation
nor output large amounts of messages to the console. It will let
you block/log them to your hearts content and at the same time
supports passing of fragments through which are seen to be part
of kept state (limitatins apply) without needing to defragment
things. Consequently there are the usual DoS issues with full
tables, etc - there is only so much you can do. For the most
part, the Internet is largely fragment free so blocking them is a
real solution/alternative.