ID SECURITYVULNS:DOC:5858 Type securityvulns Reporter Securityvulns Modified 2004-03-04T00:00:00
Description
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SonicWall Firewall/VPN Appliance
www.sonicwall.com
Product History:
SonicWALL's family of Internet security appliances provide the first
line of defense against Internet security threats. They include an ICSA-
certified, stateful packet inspection firewall, IPSec VPN for remote
access, IP address management features, and support for SonicWALL value-
added security services.
Firmware patch: Available. Customers must call SonicWall tech support
for more details
Technical details:
Problem #1:
When the device encounters an ARP request on its External (WAN) interface
the SonicWall will check its Internal interface (LAN) ARP Cache to see
if knows about the requested IP. Upon finding the requested IP in its
ARP Cache the Sonic Wall will respond with an ARP reply on behalf of
the IP being ARPed.
Problem #2
If the Sonic Wall does not find the IP in its ARP Cache
and the IP being ARPed is part of a network that is attached to the LAN
interface of the Sonic Wall, it will proxy the ARP request from the WAN
interface through to the LAN interface.
Problem #3
For each single ARP request that the Sonic Wall proxies from the WAN
interface it will make 3 ARP broadcast requests on the LAN side, effectively
amplifying each WAN received request at a 3:1 ratio.
Misc information:
The ARP cache of a Sonic Wall running one of the above firmwares has
a 20 minute life time.
This bypasses all rule sets on the firewall.
There is no logging of Successful ARP requests or replies, so this type
of IP enumeration can go unnoticed.
If the SonicWall does not have the requested IP in its ARP cache and
the IP is not alive on the LAN side of the firewall there will be an
entry in the LOG stating that there was an ARP timeout with a source
IP of 0.0.0.0 and a destination IP of the IP requested.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
{"id": "SECURITYVULNS:DOC:5858", "bulletinFamily": "software", "title": "SonicWall VPN/Firewall Appliance - DoS, ARP Flood, Network mapping vulnerability", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSonicWall Firewall/VPN Appliance\r\n\r\nwww.sonicwall.com\r\n\r\nProduct History:\r\n\r\nSonicWALL's family of Internet security appliances provide the first\r\nline of defense against Internet security threats. They include an ICSA-\r\ncertified, stateful packet inspection firewall, IPSec VPN for remote\r\naccess, IP address management features, and support for SonicWALL value-\r\nadded security services.\r\n\r\n\r\nVulnerability: DoS, ARP Flood, Network mapping\r\n\r\nDate of discovery: January 26th, 2004\r\n\r\nReported to SonicWall: January 27th, 2004\r\n\r\nConfirmed by SonicWall: February 16th, 2004\r\n\r\nRelease date: March 1st, 2004\r\n\r\nProduct: SonicWall Firewall/VPN Appliance\r\n\r\nTested vulnerable Firmware Revisions:\r\n\r\n6.5.0.4\r\n6.5.0.3\r\n6.4.0.2\r\n6.4.0.1\r\n6.3.1.4\r\n6.3.1.0\r\n6.2.0.0\r\n\r\nTested but Not vulnerable:\r\n\r\nSonic OS 2.0 and above\r\n\r\nFirmware patch: Available. Customers must call SonicWall tech support\r\nfor more details\r\n\r\nTechnical details:\r\n\r\nProblem #1:\r\nWhen the device encounters an ARP request on its External (WAN) interface\r\nthe SonicWall will check its Internal interface (LAN) ARP Cache to see\r\nif knows about the requested IP. Upon finding the requested IP in its\r\nARP Cache the Sonic Wall will respond with an ARP reply on behalf of\r\nthe IP being ARPed.\r\n\r\nProblem #2\r\nIf the Sonic Wall does not find the IP in its ARP Cache\r\nand the IP being ARPed is part of a network that is attached to the LAN\r\ninterface of the Sonic Wall, it will proxy the ARP request from the WAN\r\ninterface through to the LAN interface.\r\n\r\nProblem #3\r\nFor each single ARP request that the Sonic Wall proxies from the WAN\r\ninterface it will make 3 ARP broadcast requests on the LAN side, effectively\r\namplifying each WAN received request at a 3:1 ratio.\r\n\r\nMisc information:\r\n\r\nThe ARP cache of a Sonic Wall running one of the above firmwares has\r\na 20 minute life time.\r\nThis bypasses all rule sets on the firewall.\r\nThere is no logging of Successful ARP requests or replies, so this type\r\nof IP enumeration can go unnoticed.\r\nIf the SonicWall does not have the requested IP in its ARP cache and\r\nthe IP is not alive on the LAN side of the firewall there will be an\r\nentry in the LOG stating that there was an ARP timeout with a source\r\nIP of 0.0.0.0 and a destination IP of the IP requested.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nNote: This signature can be verified at https://www.hushtools.com/verify\r\nVersion: Hush 2.3\r\n\r\nwkYEARECAAYFAkBEMtIACgkQsJZ5tw66F035IgCcDOMvtzxvzLxVR0vs0b7Cw5g/2EgA\r\nn3GcT46eVdyhpMgjHwSvpmtlUijp\r\n=1RFE\r\n-----END PGP SIGNATURE-----\r\n\r\n\r\n\r\n\r\nConcerned about your privacy? Follow this link to get\r\nFREE encrypted email: https://www.hushmail.com/?l=2\r\n\r\nFree, ultra-private instant messaging with Hush Messenger\r\nhttps://www.hushmail.com/services.php?subloc=messenger&l=434\r\n\r\nPromote security and make money with the Hushmail Affiliate Program: \r\nhttps://www.hushmail.com/about.php?subloc=affiliate&l=427", "published": "2004-03-04T00:00:00", "modified": "2004-03-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5858", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:09", "edition": 1, "viewCount": 12, "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2018-08-31T11:10:09", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["EULEROS_SA-2020-1498.NASL", "EULEROS_SA-2020-1457.NASL", "EULEROS_SA-2020-1496.NASL", "EULEROS_SA-2020-1477.NASL", "EULEROS_SA-2020-1491.NASL", "EULEROS_SA-2020-1494.NASL", "EULEROS_SA-2020-1483.NASL", "EULEROS_SA-2020-1489.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201494", "OPENVAS:1361412562311220201431", "OPENVAS:1361412562311220201489", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201477", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201491", "OPENVAS:1361412562311220201476", "OPENVAS:1361412562311220201430", "OPENVAS:1361412562311220201473"]}], "modified": "2018-08-31T11:10:09", "rev": 2}, "vulnersScore": 2.6}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-01-15T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **20[.]49.178.57** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-15T03:00:00.\n IOC tags: **generic**.\nASN 8075: (First IP 20.47.122.0, Last IP 20.127.255.255).\nASN Name \"MICROSOFTCORPMSNASBLOCK\" and Organisation \"Microsoft Corporation\".\nThis IP is a part of \"**azure**\" address pools.\nASN hosts 1628307 domains.\nGEO IP information: City \"London\", Country \"United Kingdom\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:0A55ED94-5858-3FA3-A2D6-FB5122EE763B", "href": "", "published": "2021-01-16T00:00:00", "title": "RST Threat feed. IOC: 20.49.178.57", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-15T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **pilascolombia[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **25**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-15T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 67[.]205.177.204\nWhois:\n Created: 2010-12-02 22:17:38, \n Registrar: GoDaddycom LLC, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:11773181-5858-3BA9-9F49-D85D05E88C38", "href": "", "published": "2021-01-16T00:00:00", "title": "RST Threat feed. IOC: pilascolombia.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-15T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **tyron-gismano[.]ga** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-15T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 23[.]200.237.225,23.60.91.225\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:96791C2A-5858-32C5-AE54-14449BD18690", "href": "", "published": "2021-01-16T00:00:00", "title": "RST Threat feed. IOC: tyron-gismano.ga", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-15T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **pc-scan-5858[.]win** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-15T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:233B4709-8A32-386C-A48B-DD262322584F", "href": "", "published": "2021-01-16T00:00:00", "title": "RST Threat feed. IOC: pc-scan-5858.win", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-15T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **mobilityinfo[.]tel** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-15T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:0633AA58-5858-3CEA-8962-32A3E3D4318D", "href": "", "published": "2021-01-16T00:00:00", "title": "RST Threat feed. IOC: mobilityinfo.tel", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-15T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **enache[.]3x.ro** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2020-02-28T03:00:00, Last seen: 2021-01-15T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 89[.]42.39.160\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-02-28T00:00:00", "id": "RST:0A498D65-5858-3986-AC36-270064E28AB7", "href": "", "published": "2021-01-16T00:00:00", "title": "RST Threat feed. IOC: enache.3x.ro", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-15T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **herbalwelloch[.]be** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-15T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:2EE18595-5858-392B-B865-588AE5579A39", "href": "", "published": "2021-01-16T00:00:00", "title": "RST Threat feed. IOC: herbalwelloch.be", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-15T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **ingbk-be[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-15T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:198B2251-5858-3DCE-AE33-10145BF7B7FE", "href": "", "published": "2021-01-16T00:00:00", "title": "RST Threat feed. IOC: ingbk-be.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-15T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **https://pcatech[.]com.au/wp-asseing/usaa** in [RST Threat Feed](https://rstcloud.net/profeed) with score **67**.\n First seen: 2021-01-15T03:00:00, Last seen: 2021-01-15T03:00:00.\n IOC tags: **phishing**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-15T00:00:00", "id": "RST:5D7E1632-5858-3F02-802C-E81F6F126664", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: https://pcatech.com.au/wp-asseing/usaa", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **secure[.]runescape.com-aiu.top** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:3591398B-5858-363C-9F8F-EC7D160827B3", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: secure.runescape.com-aiu.top", "type": "rst", "cvss": {}}]}
