OpenConnect Webconnect MS-DOS device name denial-of-service

2005-02-21T00:00:00
ID VU:552561
Type cert
Reporter CERT
Modified 2005-02-21T00:00:00

Description

Overview

OpenConnect WebConnect may stop responding after processing an HTTP request with an MS-DOS device name in it.

Description

OpenConnect Webconnect provides secured web access and emulation services for backend mainframes and UNIX servers. Versions of Webconnect prior to 6.4.5 and 6.5.1 running on Windows OS may stop responding after processing an HTTP GET or POST request with an MS-DOS device name in it. All HTTP and emulation services supported by Webconnect may be affected after such an attack.


Impact

OpenConnect WebConnect running on Windows OS may experience a denial-of-service condition after processing MS-DOS device names in HTTP requests.


Solution

Affected sites should upgrade to a corrected version of WebConnect, versions 6.4.5 and 6.5.1. Licensed users can send mail to OpenConnect technical support mailto: ocs_support@oc.com, or call +1-972-888-0678.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
OpenConnect| | 21 Dec 2004| 20 Feb 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.cirt.dk/advisories/cirt-29-advisory.pdf>
  • <http://www.openconnect.com/solutions/webconnect.jsp>

Credit

Thanks to Dennis Rand of the Danish Computer Incident Response Team for reporting this vulnerability.

This document was written by Jeff S Havrilla, with contributions from Dennis Rand and the OpenConnect WebConnect Development team.

Other Information

  • CVE IDs: CAN-2004-0466
  • Date Public: 21 Feb 2005
  • Date First Published: 21 Feb 2005
  • Date Last Updated: 21 Feb 2005
  • Severity Metric: 1.06
  • Document Revision: 19