COMMAND

    Firewall-1

SYSTEMS AFFECTED

    All versions of Firewall-1 4.1 on Solaris 2.x using a limited-IP license

PROBLEM

    Tim Hall found following.   He has identified a denial  of service
    attack that can be launched against Firewall-1 that has  identical
    results  to  the  IP  fragmentation  attack  identified  by  Lance
    Spitzner.

    Firewall CPU  hits 100%  utilization, console  locks up,  a reboot
    only temporarily solves the problem.

    Probably vulnerable  are all  versions of  Firewall-1 4.1  using a
    limited-IP license on Nokia IPSO, possibly other variants of Unix.

    On firewall modules with  a limited-IP license, Firewall-1  counts
    the number of unique source IP addresses entering all  non-outside
    interfaces.  The  outside interface typically  is Internet-facing.
    If  more  IP  addresses  are  counted  that the firewall module is
    licensed  for,  a  warning  message  is  output  to the firewall's
    console.  In 4.1, the warning includes a list of all IP  addresses
    counted in the Firewall-1 licensing calculation.  The 4.0  message
    only  included  the  number  of  IP addresses corresponding to the
    licensed limit.

    By sending a large number of packets with spoofed source addresses
    to any inside interface, enough addresses will be included in  the
    console output to cause a new warning message to be issued  before
    the previous one can finish.  As a result the console device  will
    be overrun and begin to consume  large amounts of CPU time.   This
    output  makes  the  console  virtually  unusable  making  it  more
    difficult to recover from this situation.

    There is no way to block this behavior in the rule base.  Even  if
    the spoofed packets in question  are dropped explicitly by a  rule
    or implicitly by antipspoofing they will still be included in  the
    license calculation.  A reboot will not clear this problem either,
    since Firewall-1 will begin sending the license violation messages
    to the console immediately  upon rebooting.  Clearing  the license
    count as described at  PhoneBoy's site will help  temporarily, but
    if the flood of spoofed packets continues Firewall-1 will  rapidly
    end up in the same state again.

    To reproduce this vulnerability these two conditions must both  be
    true:

    1) The firewall module has to have a limited-IP license
    2) An  attacker has  to be  able to  route packets  to any  inside
       interface of the  firewall.  Note  that this could  include DMZ
       interfaces as  well as  the "inside"  network; only  the single
       defined outside interface  is impervious.   Also note that  the
       packets do not have to  be accepted by the firewall's  security
       policy.

    Any tool  that can  send a  stream of  packets with random, unique
    source IP addresses  can be used  to reproduce this  problem.  The
    SYN flooder synk4.c is an excellent example.  In testing Tim found
    that  once   the  firewall   module  was   attempting  to   output
    approximately  6,000  IP  addresses  to  the  console  it would be
    overrun.  On a high-speed LAN a SYN flooder could send this amount
    of traffic in seconds.

SOLUTION

    Firewall-1  4.0  (all  service  packs)  and  earlier are bug free.
    Similar to the IP Frag attack, issuing a 'fw ctl debug -buf'  will
    prevent this console logging from consuming excessive CPU.   While
    many firewall administrators installed this workaround earlier  to
    combat the frag problem, it was probably removed from the  fwstart
    script when they upgraded to SP2 or later.

    CheckPoint confirmed  that it  is indeed  a problem  and recommend
    using the 'fw ctl debug -buf' workaround as an immediate solution.
    CheckPoint is currently researching  a more permanent solution  to
    the problem and will include the solution in a further release.