KPMG-2002017: Snapgear Lite+ Firewall Denial of Service

[Peter Gründl <pgrundl () kpmg dk>]

--------------------------------------------------------------------

Title: Snapgear Lite+ Firewall Denial of Service

BUG-ID: 2002017
Released: 02nd May 2002
--------------------------------------------------------------------

Problem:
========
Several issues with the Snapgear Lite+ Firewall could allow a
malicious user to cause a Denial of Service situation, where part
of or all of the Firewall would cease to function.


Vulnerable:
===========
- Snapgear Lite+ V1.5.3 (all issues)
- Snapgear Lite+ V1.5.4 (some issues)


Not vulnerable:
===============
- Snapgear Lite+ V1.6.0


Product Description:
====================
Quoted from the vendors webpage:

"The SnapGear LITE+ is an ethernet/broadband VPN router, with one
 10/100BaseT WAN port, one 4-port 10/100BaseT switch on the LAN,
 and one serial port that can have a modem attached for narrowband
 fallback to dial-out."


Details:
========
There are four general areas in which we found problems with the
way the Snapgear Firewall handled malicious traffic:

HTTP)
If external web management had been enabled, creating 50 connections
to the web port and cycling through them would result in the
firewall crashing. In V1.5.4 this would only result in web management
crashing.

PPTP)
If PPTP had been enabled, creating 50 connections to the PPTP port and
cycling through them would result in the firewall crashing.

IPSEC)
Sending a 0 length UDP packet to UDP port 500 would result in IPSEC
exiting. This would result in IPSEC no longer working. This issue was
resolved in v1.5.4.

IP-OPTIONS)
Sending a stream of approx. 7000 packets with malformed IP options
through the firewall would result in the firewall crashing. This
stream could be sent from the internal network or externally.


Vendor URL:
===========
You can visit the vendors webpage here: http://www.snapgear.com


Vendor response:
================
The vendor was contacted about the first issue on the 14th of
February, 2002 and subsequently on the 7th of March, 2002 about
the remainding issues. On the 10th of April, 2002 we received a
beta version of v1.6.0, which corrected the issues. On the 2nd
of May, 2002 we received notification that V1.6.0 had been
released.


Corrective action:
==================
Install firmware version 1.6.0, which is available here:
http://www.snapgear.com/downloads.html


Authors:
Andreas Sandor (asandor () kpmg dk) & Peter Gründl (pgrundl () kpmg dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------