COMMAND
Firewall-1
SYSTEMS AFFECTED
All versions of Firewall-1 4.1 on Solaris 2.x using a limited-IP license
PROBLEM
Tim Hall found following. He has identified a denial of service
attack that can be launched against Firewall-1 that has identical
results to the IP fragmentation attack identified by Lance
Spitzner.
Firewall CPU hits 100% utilization, console locks up, a reboot
only temporarily solves the problem.
Probably vulnerable are all versions of Firewall-1 4.1 using a
limited-IP license on Nokia IPSO, possibly other variants of Unix.
On firewall modules with a limited-IP license, Firewall-1 counts
the number of unique source IP addresses entering all non-outside
interfaces. The outside interface typically is Internet-facing.
If more IP addresses are counted that the firewall module is
licensed for, a warning message is output to the firewall's
console. In 4.1, the warning includes a list of all IP addresses
counted in the Firewall-1 licensing calculation. The 4.0 message
only included the number of IP addresses corresponding to the
licensed limit.
By sending a large number of packets with spoofed source addresses
to any inside interface, enough addresses will be included in the
console output to cause a new warning message to be issued before
the previous one can finish. As a result the console device will
be overrun and begin to consume large amounts of CPU time. This
output makes the console virtually unusable making it more
difficult to recover from this situation.
There is no way to block this behavior in the rule base. Even if
the spoofed packets in question are dropped explicitly by a rule
or implicitly by antipspoofing they will still be included in the
license calculation. A reboot will not clear this problem either,
since Firewall-1 will begin sending the license violation messages
to the console immediately upon rebooting. Clearing the license
count as described at PhoneBoy's site will help temporarily, but
if the flood of spoofed packets continues Firewall-1 will rapidly
end up in the same state again.
To reproduce this vulnerability these two conditions must both be
true:
1) The firewall module has to have a limited-IP license
2) An attacker has to be able to route packets to any inside
interface of the firewall. Note that this could include DMZ
interfaces as well as the "inside" network; only the single
defined outside interface is impervious. Also note that the
packets do not have to be accepted by the firewall's security
policy.
Any tool that can send a stream of packets with random, unique
source IP addresses can be used to reproduce this problem. The
SYN flooder synk4.c is an excellent example. In testing Tim found
that once the firewall module was attempting to output
approximately 6,000 IP addresses to the console it would be
overrun. On a high-speed LAN a SYN flooder could send this amount
of traffic in seconds.
SOLUTION
Firewall-1 4.0 (all service packs) and earlier are bug free.
Similar to the IP Frag attack, issuing a 'fw ctl debug -buf' will
prevent this console logging from consuming excessive CPU. While
many firewall administrators installed this workaround earlier to
combat the frag problem, it was probably removed from the fwstart
script when they upgraded to SP2 or later.
CheckPoint confirmed that it is indeed a problem and recommend
using the 'fw ctl debug -buf' workaround as an immediate solution.
CheckPoint is currently researching a more permanent solution to
the problem and will include the solution in a further release.