Details of VAR-200212-0032

ID

VAR-200212-0032

CVE

CVE-2002-2150

TITLE

State-based firewalls fail to effectively manage session table resource exhaustion

Trust: 0.8

sources: CERT/CC: VU#539363

DESCRIPTION

Firewalls from multiple vendors empty state tables more slowly than they are filled, which allows remote attackers to flood state tables with packet flooding attacks such as (1) TCP SYN flood, (2) UDP flood, or (3) Crikey CRC Flood, which causes the firewall to refuse any new connections. There is a vulnerability in several state-based firewall products that allows arbitrary remote attackers to conduct denial of service attacks against vulnerable firewalls. There is a vulnerability that causes the firewall to not accept new sessions by sending a large number of packets to a multi-vendor firewall by exploiting the state table specification.Service disruption to firewall (DoS) It may be in a state. It has been reported that many firewalls do not properly handle certain types of input. Firewall systems that maintain state could be attacked and forced into a situation where all service is denied. This condition would occur as a result of certain types of traffic floods. A comprehensive listing of affected products is not available at this time. A variety of firewall products use the state table to judge whether the obtained packet belongs to the existing session between two hosts. The firewall will remove relevant entries from the state table for different reasons, including session time-out expiration, detection of TCP FIN or TCP, RST packets, and so on. If new state entries are added faster than the firewall can delete entries, a remote attacker can exploit this to fill up all state table buffers, resulting in a denial of service attack. The packet of the session state is refused to accept, and the new connection will not be established, resulting in a denial of service attack. Attackers can use the following methods to attack: TCP SYN FLOOD In order to establish a TCP connection, the client and server must participate in a three-way handshake. The client system sends a SYN message to the server, and the server responds to the SYN message to the client by sending a SYN-ACK message. The client finally completes the establishment of the connection by replying to the ACK message, and then performs data transmission. In a SYN FLOOD attack, an attacker can send SYN packets with forged IP source addresses, making the communications appear to come from multiple clients. Because the client address is forged, the SYN-ACK message sent to the client will be discarded, and a large number of such communications can cause the firewall's entry table to be filled with forged entries, resulting in a denial of service attack. UDP Flood In a UDP FLOOD attack, the attacker can send a large number of small UDP packets with forged source IP addresses. However, since the UDP protocol is connectionless, there is no session state indication information (SYN, SYN-ACK, ACK, FIN, or RST) to help the firewall detect abnormal protocol states. As a result, state-based firewalls must rely on source and destination addresses to create state table entries and set session timeout values. The CRC check is calculated at each network layer and is used to determine whether data has been corrupted during transmission. C2 Flood is a packet containing an illegal checksum of the transport layer (TCP, UDP). Since the checksum of the transport layer does not go through the firewall operation, many implementations choose to optimize performance by ignoring these checksums, so if C2..

Trust: 2.7

sources: NVD: CVE-2002-2150 // CERT/CC: VU#539363 // JVNDB: JVNDB-2002-000250 // BID: 6023 // VULHUB: VHN-6533

AFFECTED PRODUCTS

vendor:	juniper	model:	netscreen screenos	scope:	eq	version:	2.7.1r3	Trust: 1.6
vendor:	juniper	model:	netscreen screenos	scope:	eq	version:	3.0.1r1	Trust: 1.6
vendor:	juniper	model:	netscreen screenos	scope:	eq	version:	3.0.1r2	Trust: 1.6
vendor:	juniper	model:	netscreen screenos	scope:	eq	version:	2.7.1r1	Trust: 1.6
vendor:	juniper	model:	netscreen screenos	scope:	eq	version:	2.7.1r2	Trust: 1.6
vendor:	juniper	model:	netscreen screenos	scope:	eq	version:	2.10_r4	Trust: 1.6
vendor:	juniper	model:	netscreen screenos	scope:	eq	version:	2.10_r3	Trust: 1.6
vendor:	juniper	model:	netscreen screenos	scope:	eq	version:	2.7.1	Trust: 1.6
vendor:	juniper	model:	netscreen screenos	scope:	eq	version:	3.0.3_r1.1	Trust: 1.6
vendor:	alcatel	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	check point	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	netscreen	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	pix firewall	scope:	eq	version:	5.2	Trust: 0.8
vendor:	cisco	model:	pix firewall	scope:	eq	version:	6.0	Trust: 0.8
vendor:	cisco	model:	pix firewall	scope:	eq	version:	6.1	Trust: 0.8
vendor:	cisco	model:	pix firewall	scope:	eq	version:	6.2	Trust: 0.8
vendor:	check point	model:	vpn-1/firewall-1	scope:	eq	version:	4.1	Trust: 0.8
vendor:	check point	model:	vpn-1/firewall-1	scope:	eq	version:	ng	Trust: 0.8
vendor:	netscreen	model:	screenos r1.1	scope:	eq	version:	3.0.3	Trust: 0.3
vendor:	netscreen	model:	screenos r2	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	netscreen	model:	screenos r1	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	netscreen	model:	screenos r4	scope:	eq	version:	2.10	Trust: 0.3
vendor:	netscreen	model:	screenos r3	scope:	eq	version:	2.10	Trust: 0.3
vendor:	netscreen	model:	screenos r3	scope:	eq	version:	2.7.1	Trust: 0.3
vendor:	netscreen	model:	screenos r2	scope:	eq	version:	2.7.1	Trust: 0.3
vendor:	netscreen	model:	screenos r1	scope:	eq	version:	2.7.1	Trust: 0.3
vendor:	netscreen	model:	screenos	scope:	eq	version:	2.7.1	Trust: 0.3
vendor:	alcatel lucent	model:	omniaccess	scope:	ne	version:	2500	Trust: 0.3
vendor:	alcatel lucent	model:	omniaccess	scope:	ne	version:	2100	Trust: 0.3

sources: CERT/CC: VU#539363 // BID: 6023 // JVNDB: JVNDB-2002-000250 // CNNVD: CNNVD-200212-425 // NVD: CVE-2002-2150

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2002-2150
value:	MEDIUM
Trust: 1.0
CARNEGIE MELLON:	VU#539363
value:	19.69
Trust: 0.8
NVD:	CVE-2002-2150
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200212-425
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-6533
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2002-2150
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-6533
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#539363 // VULHUB: VHN-6533 // JVNDB: JVNDB-2002-000250 // CNNVD: CNNVD-200212-425 // NVD: CVE-2002-2150

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2002-2150

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200212-425

TYPE

Design Error

Trust: 0.9

sources: BID: 6023 // CNNVD: CNNVD-200212-425

CONFIGURATIONS

sources: JVNDB: JVNDB-2002-000250

PATCH

title:	Top Page	url:	http://www.cisco.com/jp/index.shtml	Trust: 0.8
title:	Top Page	url:	http://www.checkpoint.co.jp/	Trust: 0.8

sources: JVNDB: JVNDB-2002-000250

EXTERNAL IDS

db:	CERT/CC	id:	VU#539363	Trust: 3.6
db:	BID	id:	6023	Trust: 2.8
db:	NVD	id:	CVE-2002-2150	Trust: 2.5
db:	JVNDB	id:	JVNDB-2002-000250	Trust: 0.8
db:	CNNVD	id:	CNNVD-200212-425	Trust: 0.7
db:	NSFOCUS	id:	3708	Trust: 0.6
db:	XF	id:	10449	Trust: 0.6
db:	VULHUB	id:	VHN-6533	Trust: 0.1

sources: CERT/CC: VU#539363 // VULHUB: VHN-6533 // BID: 6023 // JVNDB: JVNDB-2002-000250 // CNNVD: CNNVD-200212-425 // NVD: CVE-2002-2150

REFERENCES

url:	http://www.kb.cert.org/vuls/id/539363	Trust: 2.8
url:	http://www.securityfocus.com/bid/6023	Trust: 2.5
url:	http://www.iss.net/security_center/static/10449.php	Trust: 1.7
url:	http://www.qorbit.net/documents/maximizing-firewall-availability.pdf	Trust: 0.8
url:	http://www.uwsg.iu.edu/usail/network/nfs/network_layers.html	Trust: 0.8
url:	http://cr.yp.to/syncookies.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2002-2150	Trust: 0.8
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2002-2150	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/3708	Trust: 0.6
url:	http://www.alcatel.com/	Trust: 0.3
url:	http://www.netscreen.com/index.html	Trust: 0.3

sources: CERT/CC: VU#539363 // VULHUB: VHN-6533 // BID: 6023 // JVNDB: JVNDB-2002-000250 // CNNVD: CNNVD-200212-425 // NVD: CVE-2002-2150

CREDITS

Stephen Gill

Trust: 0.6

sources: CNNVD: CNNVD-200212-425

SOURCES

db:	CERT/CC	id:	VU#539363
db:	VULHUB	id:	VHN-6533
db:	BID	id:	6023
db:	JVNDB	id:	JVNDB-2002-000250
db:	CNNVD	id:	CNNVD-200212-425
db:	NVD	id:	CVE-2002-2150

LAST UPDATE DATE

2024-08-14T15:41:00.912000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#539363	date:	2003-01-06T00:00:00
db:	VULHUB	id:	VHN-6533	date:	2008-09-05T00:00:00
db:	BID	id:	6023	date:	2002-10-21T00:00:00
db:	JVNDB	id:	JVNDB-2002-000250	date:	2007-04-01T00:00:00
db:	CNNVD	id:	CNNVD-200212-425	date:	2006-08-23T00:00:00
db:	NVD	id:	CVE-2002-2150	date:	2008-09-05T20:32:27.760

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#539363	date:	2002-10-15T00:00:00
db:	VULHUB	id:	VHN-6533	date:	2002-12-31T00:00:00
db:	BID	id:	6023	date:	2002-10-21T00:00:00
db:	JVNDB	id:	JVNDB-2002-000250	date:	2007-04-01T00:00:00
db:	CNNVD	id:	CNNVD-200212-425	date:	2002-10-21T00:00:00
db:	NVD	id:	CVE-2002-2150	date:	2002-12-31T05:00:00