Title: Snapgear Lite+ Firewall Denial of Service
Several issues with the Snapgear Lite+ Firewall could allow a
malicious user to cause a Denial of Service situation, where part
of or all of the Firewall would cease to function.
Quoted from the vendors webpage:
"The SnapGear LITE+ is an ethernet/broadband VPN router, with one
10/100BaseT WAN port, one 4-port 10/100BaseT switch on the LAN,
and one serial port that can have a modem attached for narrowband
fallback to dial-out."
There are four general areas in which we found problems with the
way the Snapgear Firewall handled malicious traffic:
HTTP)
If external web management had been enabled, creating 50 connections
to the web port and cycling through them would result in the
firewall crashing. In V1.5.4 this would only result in web management
crashing.
PPTP)
If PPTP had been enabled, creating 50 connections to the PPTP port and
cycling through them would result in the firewall crashing.
IPSEC)
Sending a 0 length UDP packet to UDP port 500 would result in IPSEC
exiting. This would result in IPSEC no longer working. This issue was
resolved in v1.5.4.
IP-OPTIONS)
Sending a stream of approx. 7000 packets with malformed IP options
through the firewall would result in the firewall crashing. This
stream could be sent from the internal network or externally.
You can visit the vendors webpage here: http://www.snapgear.com
The vendor was contacted about the first issue on the 14th of
February, 2002 and subsequently on the 7th of March, 2002 about
the remainding issues. On the 10th of April, 2002 we received a
beta version of v1.6.0, which corrected the issues. On the 2nd
of May, 2002 we received notification that V1.6.0 had been
released.
Install firmware version 1.6.0, which is available here:
http://www.snapgear.com/downloads.html
Authors:
Andreas Sandor ([email protected]) & Peter Gründl ([email protected])