Novell BorderManager 3.5 VPN Denial of Service (fwd)

Mon Apr 23 14:29:13 EDT 2001

---------- Forwarded message ----------
Date: Fri, 20 Apr 2001 19:41:31 +0100
From: Richard Bartlett <richard at HACKERIMMUNITY.COM>
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: Novell BorderManager 3.5 VPN Denial of Service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Date Published: April 20th 2001

Advisory ID: HI200101

Bugtraq ID: 2623

CVE CAN: N/A

Title: Novell BorderManager 3.5 VPN Denial of Service

Class: Denial of Service

Remotely Exploitable: yes

Locally Exploitable: yes

Vulnerability Description:

Novell BorderManager is described on Novell's web site as "a powerful
Internet security management suite that offers industry leading
firewall, authentication, virtual private network (VPN), and caching
services to organizations of all sizes."

Client to site VPN services can be halted by a SYN flood attack on
port 353, causing the port to close and the service to cease
functioning until the server is rebooted.

Vulnerable Packages/Systems:

[Confirmed] Novell BorderManager Enterprise Edition 3.5
[Suspected] Novell BorderManager 3.0 - 3.6

Solution/Vendor Information/Workaround:

None provided

Vendor notified on: 15th March 2001
It was specified in the email that the report was being made in
accordance with RDPolicy 2.0.  An automatic response was received
from
"The Novell Security Team", but no further communication was
received.

Technical Description:

When using client to site VPN, one of the ports open on the outbound
interface of the BorderManager server is 353, which allows for
initial
handshaking between VPN Client & Server to exchange the Keys.

Sending out multiple SYN requests to a port on the server will cause
exhaustion of the available TCP connections on the server.  The
following command will open multiple connections to port 353;

   for /l %%h in (1, 1, 300) do nc -d -z 192.168.1.1 353

Once ~256 connections are made the port fails to respond to further
SYN requests, and the server logs show that all further connections
are refused with the message 'No more TCP/IP client connections are
available'.  Until the server is rebooted or reinitialized all
client-to-site VPN will fail (thereby forcing users to revert to an
unsecure form of data transmission, e.g. FTP or POP3, which both use
clear text passwords).

The server tested on was left for over 48 hours to allow connections
to be freed up by the system, but the port remained closed.

Various measure were taken to resolve the issue.  The server was
patched with NetWare 5.1 Support Pack 2a, BorderManager 3.5 Support
Pack 2 and BorderManager 3.5 Proxy and ACL update. The latest
TCPIP.NLM was in use and the server had TCP Defend SYN Attacks ON.

Solution:

Re-loading VPMASTER.NLM failed to resolve the problem.  Re-loading
AUTHGW.NLM show the report re-opened the port, but client connections
still failed.  The only corrective action that consistently resolved
the problem was rebooting the server.  The following did work but not
consistently;
(1) Unload VPMASTER.NLM
(2) Unload AUTHGW.NLM
(3) Reinitialize system
(4) Load AUTHGW.NLM
(5) Load VPMASTER.NLM

DISCLAIMER:

The contents of this advisory are copyright (c) Hacker Immunity Ltd,
and may be distributed freely provided that no fee is charged for
this
distribution and proper credit is given.