COMMAND

    ZoneAlarm

SYSTEMS AFFECTED

    ZoneAlarm

PROBLEM

    Wally  Whacker  found  following.   ZoneAlarm  is  a  very popular
    personal  firewall  for  Microsoft  Windows  computers  and   easy
    to use for newbies because  it is application based, meaning,  you
    apply network permission to applications instead of ports.

    Because  it  is  application  based,  Wally  was  wondering how it
    handled ports  that weren't  applications, i.e.,  what about ports
    that are  opened by  the kernel?   He tried  scanning a  ZoneAlarm
    protected  machine  using  various  source  ports  that  are often
    problems for other firewall environments.  What he found was this.

    If one uses port  67 as the SOURCE  port of a UDP  scan, ZoneAlarm
    will let the packet  through and will not  notify the user.   This
    means, that one can UDP  port scan a ZoneAlarm protected  computer
    as if  there were  no firewall  there IF  one uses  port 67 as the
    source port on the packets.  The version wally tested this on  was
    2.1.10.

    It is strongly suspected port 67 needs to be left open because  it
    is used for DHCP.  On  an earlier version 2.0.26 UDP packets  from
    source port 53 also behaved as  above but this doesn't seem to  be
    the case with this latest version.  The test was this:

        1) Download and install ZoneAlarm version 2.1.10
        2) From another computer (unix, linux, etc) run

           nmap -P0 -p130-140 -sU 192.168.128.88 <-Your Computer Ip Address

           This will run a small UDP scan on the computer.
        3) ZoneAlarm will throw up alarms on these UDP probes
        4) NOW, run nmap -g67 -P0 -p130-140 -sU 192.168.128.88 (Notice
           the -g67 which specifies source  port).  This will run  the
           same test as  above except the  packets will have  a source
           port of 67.
        5) ZoneAlarm will not throw up any alerts AND if you have  any
           services running on those ports, nmap will find them.

SOLUTION

    The  port  67  vulnerability  has  been  eliminated.  The upgraded
    version of ZoneAlarm contains the fix and is available from

        http://www.zonelabs.com/download_ZA.htm

    Previously,  ZoneAlarm  did  not  prevent  TCP or UDP packets from
    entering the computer through port  67.  Port 67 was  deliberately
    left  open  to  avoid  instabilities  encountered  on  Windows  NT
    machines using DHCP.