RE: Vulnerability ZoneAlarm Pro 4.5.532.000

["John LaCour" <jlacour () zonelabs com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Zone Labs response concerning a reported Denial of Service 
vulnerability in ZoneAlarm Pro v4.5.532.

Zone Labs is aware of a reported Denial of Service vulnerability in 
ZoneAlarm Pro v4.5.532 as reported by Marko Rogge of German-Secure 
on the Full-Disclosure mailing list on January 28th.  We first 
received this report on Tuesday January 27th.  

Zone Labs has reviewed the test results presented by Mr. Rogge and 
used a similar methodology to try and reproduce his findings.  We 
were unable to do so and, as a result, we do not believe that 
Mr. Rogge's tests indicate that there are any vulnerabilities in 
ZoneAlarm Pro or other Zone Labs products.  

In our own testing, using similarly configured systems, we do see 
an increase in CPU utilization at higher packet rates - up to 
approximately 20%.  However, in no cases does the system become 
unresponsive.  Additionally, the firewall continues to perform its 
job of allowing or denying traffic based on the configured policy.

Zone Labs would also like to point out the connection speed of 
55 Mbps in the test case reported is 50 to 500 times the bandwidth 
available to a typical broadband user.  In real-world scenarios, 
a user's bandwidth would be exhausted prior to the network traffic 
having a significant impact to ZoneAlarm Pro.

Additionally, Mr. Rogge and Mixter did not report the results of 
the system when the ZoneAlarm firewall was not present.  At extreme 
data rates any system's performance will be impaired by a denial 
of service attack regardless of the presence of ZoneAlarm Pro.

In summary, ZoneAlarm Pro users are not vulnerable to a denial of 
service attack as a result of using ZoneAlarm Pro, nor can a denial 
of service attack be used to circumvent ZoneAlarm Pro's protection.

Zone Labs takes security vulnerability issues very seriously and 
welcomes the opportunity to work with the security community.  
While we appreciate Mr. Rogge bringing the matter to our attention, 
we ask that all security researchers contact us on
security () zonelabs com 
(as mentioned in all of our security advisories), and that in 
accordance with industry practice, we be given up to 7 days to
respond 
before any issues are disclosed publicly.  In all cases, Zone Labs 
will make every attempt possible to acknowledge the report within 
48 hours.

John LaCour
Zone Labs 
Security Response Team Manager
security () zonelabs com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQBl2DqeZbSyAsADEEQImwACg/UWJ64y+IAgs1Nr5I8hTgHcAnzgAoLwu
/axIMKc6zI27IdW4DwrJXCQd
=IXFN
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html