-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SonicWall Firewall/VPN Appliance
SonicWALL's family of Internet security appliances provide the first line of defense against Internet security threats. They include an ICSA- certified, stateful packet inspection firewall, IPSec VPN for remote access, IP address management features, and support for SonicWALL value- added security services.
Vulnerability: DoS, ARP Flood, Network mapping
Date of discovery: January 26th, 2004
Reported to SonicWall: January 27th, 2004
Confirmed by SonicWall: February 16th, 2004
Release date: March 1st, 2004
Product: SonicWall Firewall/VPN Appliance
Tested vulnerable Firmware Revisions:
126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199
Tested but Not vulnerable:
Sonic OS 2.0 and above
Firmware patch: Available. Customers must call SonicWall tech support for more details
Problem #1: When the device encounters an ARP request on its External (WAN) interface the SonicWall will check its Internal interface (LAN) ARP Cache to see if knows about the requested IP. Upon finding the requested IP in its ARP Cache the Sonic Wall will respond with an ARP reply on behalf of the IP being ARPed.
Problem #2 If the Sonic Wall does not find the IP in its ARP Cache and the IP being ARPed is part of a network that is attached to the LAN interface of the Sonic Wall, it will proxy the ARP request from the WAN interface through to the LAN interface.
Problem #3 For each single ARP request that the Sonic Wall proxies from the WAN interface it will make 3 ARP broadcast requests on the LAN side, effectively amplifying each WAN received request at a 3:1 ratio.
The ARP cache of a Sonic Wall running one of the above firmwares has a 20 minute life time. This bypasses all rule sets on the firewall. There is no logging of Successful ARP requests or replies, so this type of IP enumeration can go unnoticed. If the SonicWall does not have the requested IP in its ARP cache and the IP is not alive on the LAN side of the firewall there will be an entry in the LOG stating that there was an ARP timeout with a source IP of 0.0.0.0 and a destination IP of the IP requested.
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3
wkYEARECAAYFAkBEMtIACgkQsJZ5tw66F035IgCcDOMvtzxvzLxVR0vs0b7Cw5g/2EgA n3GcT46eVdyhpMgjHwSvpmtlUijp =1RFE -----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427