CVE-2004-0375
CVSS5.0
发布时间 :2004-08-18 00:00:00
修订时间 :2016-10-17 22:44:47
NMCOEPS    

[原文]SYMNDIS.SYS in Symantec Norton Internet Security 2003 and 2004, Norton Personal Firewall 2003 and 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 and 1.1 allow remote attackers to cause a denial of service (infinite loop) via a TCP packet with (1) SACK option or (2) Alternate Checksum Data option followed by a length of zero.


[CNNVD]Symantec Norton Internet Security个人防火墙远程拒绝服务漏洞(CNNVD-200408-182)

        
        Symantec Norton Internet Security/个人防火墙是一类桌面防火墙系统。
        Symantec Norton Internet Security/个人防火墙存在未明安全问题,远程攻击者可以利用这个漏洞对运行此软件的系统进行拒绝服务攻击。
        根据报告,此漏洞不能利用来执行任意指令,目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:symantec:client_security:1.0Symantec Symantec Client Security 1.0
cpe:/a:symantec:client_firewall:5.1.1Symantec Symantec Client Firewall 5.1.1
cpe:/a:symantec:norton_internet_security:2003::pro
cpe:/a:symantec:norton_personal_firewall:2003
cpe:/a:symantec:client_security:1.1
cpe:/a:symantec:norton_internet_security:2003
cpe:/a:symantec:norton_personal_firewall:2004
cpe:/a:symantec:client_firewall:5.01Symantec Symantec Client Firewall 5.01
cpe:/a:symantec:norton_internet_security:2004::pro
cpe:/a:symantec:norton_internet_security:2004

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0375
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0375
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-182
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108275582432246&w=2
(UNKNOWN)  BUGTRAQ  20040423 EEYE: Symantec Multiple Firewall TCP Options Denial of Service
http://securitytracker.com/id?1009379
(UNKNOWN)  SECTRACK  1009379
http://securitytracker.com/id?1009380
(UNKNOWN)  SECTRACK  1009380
http://www.eeye.com/html/Research/Upcoming/20040309.html
(UNKNOWN)  MISC  http://www.eeye.com/html/Research/Upcoming/20040309.html
http://www.securityfocus.com/bid/9912
(VENDOR_ADVISORY)  BID  9912
http://www.symantec.com/avcenter/security/Content/2004.04.20.html
(UNKNOWN)  CONFIRM  http://www.symantec.com/avcenter/security/Content/2004.04.20.html
http://xforce.iss.net/xforce/xfdb/15433
(UNKNOWN)  XF  norton-firewalls-dos(15433)
http://xforce.iss.net/xforce/xfdb/15936
(VENDOR_ADVISORY)  XF  symantec-firewall-tcp-dos(15936)

- 漏洞信息

Symantec Norton Internet Security个人防火墙远程拒绝服务漏洞
中危 其他
2004-08-18 00:00:00 2006-08-28 00:00:00
远程  
        
        Symantec Norton Internet Security/个人防火墙是一类桌面防火墙系统。
        Symantec Norton Internet Security/个人防火墙存在未明安全问题,远程攻击者可以利用这个漏洞对运行此软件的系统进行拒绝服务攻击。
        根据报告,此漏洞不能利用来执行任意指令,目前没有详细漏洞细节提供。
        

- 公告与补丁

        厂商补丁:
        Symantec
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.symantec.com/

- 漏洞信息 (23846)

Symantec Client Firewall Products 5 SYMNDIS.SYS Driver Remote Denial Of Service Vulnerability (EDBID:23846)
windows dos
2004-03-18 Verified
0 eEye Digital Security Team
N/A [点击下载]
source: http://www.securityfocus.com/bid/9912/info

Symantec Client Firewall has been reported to be prone to a remote denial of service vulnerability. The issue is reported to present itself in the TCP packet processing routines of the affected software.

It is reported that this vulnerability will have a system wide impact, causing Windows GUI and peripherals that are attached to the host to become unresponsive. A hard reset is reported to be required to restore normal functionality to the system.

http://www.exploit-db.com/sploits/23846.tar.gz		

- 漏洞信息 (F33177)

eEye.symantec.txt (PacketStormID:F33177)
2004-04-28 00:00:00
Karl Lynn  eeye.com
advisory,remote,denial of service,tcp
windows
CVE-2004-0375
[点击下载]

eEye Security Advisory - eEye Digital Security has discovered a severe denial of service vulnerability in the Symantec Client Firewall products for Windows. The vulnerability allows a remote attacker to reliably render a system inoperative with one single packet. Physical access is required in order to bring an affected system out of this "frozen" state. This specific flaw exists within the component that performs low level processing of TCP packets.

Symantec Multiple Firewall TCP Options Denial of Service

Release Date:
April 23, 2004

Date Reported:
March 9th, 2004

Severity:
High (Remote Denial of Service)

Vendor:
Symantec

Systems Affected:
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2004
Symantec Norton Internet Security Professional 2003
Symantec Norton Internet Security Professional 2004
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2004 
Symantec Client Firewall 5.01, 5.1.1 
Symantec Client Security 1.0

Description:
eEye Digital Security has discovered a severe denial of service
vulnerability in the Symantec Client Firewall products for Windows. The
vulnerability allows a remote attacker to reliably render a system
inoperative with one single packet. Physical access is required in order
to bring an affected system out of this "frozen" state. This specific
flaw exists within the component that performs low level processing of
TCP packets.

Technical Description:
The vulnerability exists in SYMNDIS.SYS when trying to parse through the
TCP Options in a TCP packet.  When an attacker supplies a single TCP
packet with a TCP option of either SACK (05) or Alternate Checksum Data
(0F) followed by a length of 00, the SYMNDIS.SYS driver enters an
infinite loop and causes the operating system to "freeze up" to the
point where it can no longer be accessed outside of the system itself
nor can any part of the GUI be accessed including keyboard and mouse.
The only way to bring the system back online is to hard boot the system
which requires physical access of the system.  The attacker only needs
to send a single packet to any port on the system regardless of whether
or not the port is open. This flaw is still accessible even if the
firewall or IDS are enabled/disabled. Below is a portion of a TCP SYN
packet (total length of 44 bytes) with a bad SACK TCP option.

Sample Packet:
40 00 57 4B 00 00 01 01 05 00
|___| |___| |___| |_________|
  |	|     |	       |
  |	|     |    TCP Options
  |	|  Urgent Pointer
  |  Checksum
Window Size

The vulnerable code maintains an offset into the TCP option bytes, and
attempts to advance past a variable-length option by adding its length
to the offset.  If the option's length field is zero, then this will
result in an infinite loop and the machine halts completely.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Symantec has released a patch for this vulnerability. The patch is
available via the Symantec LiveUpdate service.

This vulnerability has been assigned the CVE identifier CAN-2004-0375.

Credit:
Discovery: Karl Lynn

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/download.html

Greetings:
The entire eEye family, Kelly H., Geoff and Sarah, Mike M. (Tocks),
Dragon IDS crew, Riley's list of firewall vendors, pie in the sky
charts, SCARFACE : Make Way for The Bad Guy!.

Copyright (c) 1998-2004 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com
    

- 漏洞信息

5596
Symantec Multiple Products Malformed TCP Packet DoS
Remote / Network Access Denial of Service
Loss of Availability
Vendor Verified

- 漏洞描述

Symantec Client Firewall products for Windows contain a flaw that may allow a remote denial of service. The issue is triggered when an attacker supplies a single TCP packet with an option of either SACK (05) or Alternate Checksum Data (0F) followed by a length of 00, which causes the SYMNDIS.SYS driver to enter an infinite loop and will result in loss of availability for the platform.

- 时间线

2004-04-20 Unknow
Unknow 2004-04-20

- 解决方案

Vendor has released a patch for this vulnerability. The patch is available via the Symantec LiveUpdate service.

- 相关参考

- 漏洞作者

- 漏洞信息

Symantec Client Firewall Products SYMNDIS.SYS Driver Remote Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 9912
Yes No
2004-03-18 12:00:00 2009-07-12 03:06:00
This issue was discovered by eEye Digital Security.

- 受影响的程序版本

Symantec Norton Personal Firewall 2004
Symantec Norton Personal Firewall 2003
Symantec Norton Internet Security 2004 Professional Edition
Symantec Norton Internet Security 2004
Symantec Norton Internet Security 2003 Professional Edition
Symantec Norton Internet Security 2003
Symantec Client Security 1.1
Symantec Client Security 1.0
Symantec Client Firewall 5.1.1
Symantec Client Firewall 5.0 1

- 漏洞讨论

Symantec Client Firewall has been reported to be prone to a remote denial of service vulnerability. The issue is reported to present itself in the TCP packet processing routines of the affected software.

It is reported that this vulnerability will have a system wide impact, causing Windows GUI and peripherals that are attached to the host to become unresponsive. A hard reset is reported to be required to restore normal functionality to the system.

The information in this BID was consolidated from BID 10204 as both of these BIDs represented the same issue. BID 10204 is being retired.

- 漏洞利用

The following exploit code has been provided by warlord:

- 解决方案

It is reported that a fix for this vulnerability is available through the Symantec LiveUpdate service. Customers are advised to run LiveUpdate to address this issue.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站