3Com Unknown

Updated:  October 10, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Alcatel Not Affected

Notified:  July 23, 2002 Updated: October 08, 2002

Status

Not Affected

Vendor Statement

In relation to this vulnerability on FTP traffic handling, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that Alcatel products, in particular the OmniAccess 200-series, are not affected. Customers who make use of third-party vendor firewall solutions should check with that vendor. Customers may contact their Alcatel support representative for more details. The security of our customers' networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against these potential security vulnerabilities in our products and will provide updates if necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Apple Computer Inc. Not Affected

Notified:  July 23, 2002 Updated: October 08, 2002

Status

Not Affected

Vendor Statement

Mac OS X and Mac OS X Server do not contain the vulnerabilities described in this report.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Avaya Not Affected

Notified:  September 26, 2002 Updated: March 05, 2003

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Borderware Not Affected

Updated:  October 15, 2002

Status

Not Affected

Vendor Statement

Our investigations have determined that no BorderWare products are susceptible to the type of attack described in VU#328867.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Check Point Not Affected

Notified:  August 08, 2002 Updated: August 27, 2002

Status

Not Affected

Vendor Statement

We have reviewed the issues raised in VU#3328867. Check Point engineering, after analyzing the information, has concluded that our currently shipping versions, both 4.1 and NG are not vulnerable to this attack. When we fixed the original stateful inspection FTP attack in February of 2000, it addressed this derivative as well.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cisco Systems Inc. Not Affected

Notified:  July 23, 2002 Updated: October 10, 2002

Status

Not Affected

Vendor Statement

Cisco has confirmed that their products are not affected by VU#328867.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Clavister Not Affected

Updated:  October 14, 2002

Status

Not Affected

Vendor Statement

Clavister Firewall: Not vulnerable. This finding was an extended result of our initial work in early 2000 to determine if the command channel of protocols using ephemeral data channels could be safely analyzed without fully reassembling the TCP stream. Our conclusion then was that it is not. There were, and are simply too many hard-to-predict attack vectors.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cray Inc. Not Affected

Notified:  July 23, 2002 Updated: October 08, 2002

Status

Not Affected

Vendor Statement

Cray, Inc. is not vulnerable as we provide no software that performs this type of function.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

eSoft Not Affected

Updated:  October 09, 2002

Status

Not Affected

Vendor Statement

eSoft InstaGate is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FreeBSD Unknown

Notified:  July 23, 2002 Updated: October 14, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

FreeBSD includes support for IP Filter (ipf), and can be configured to use IP Filter and/or ipfw. The status of ipfw is currently unknown. For information concerning IP Filter (ipf), please see: IP Filter vendor statement http://www.kb.cert.org/vuls/id/AAMN-5ERQF6 OpenBSD vendor statement http://www.kb.cert.org/vuls/id/AAMN-5EQPEF

Global Technology Associates Not Affected

Updated:  October 16, 2002

Status

Not Affected

Vendor Statement

Global Technology Associates, Inc. has examined this issue and is pleased to report this issue does not impact any versions (current and past) of the GTA firewall products. Products Not Vulnerable: GB-1000 Firewall/VPN Appliance GB-100 Firewall Appliance GB-Flash Firewall RoBoX Firewall Appliance GB-Pro Firewall System GNAT Box Light Firewall System To report potential security vulnerabilities in GTA products, send an E-mail message to: security-alert@gta.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

GNU netfilter Not Affected

Updated:  October 14, 2002

Status

Not Affected

Vendor Statement

The netfilter core team "can positively confirm that we are not affected."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett-Packard Company Not Affected

Notified:  July 23, 2002 Updated: October 16, 2002

Status

Not Affected

Vendor Statement

SOURCE: Hewlett-Packard Company and Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company RE: x-reference SSRT2343 Not Vulnerable: HP-UX HP-MPE/ix HP Tru64 UNIX HP NonStop Servers HP OpenVMS

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Not Affected

Notified:  July 23, 2002 Updated: October 22, 2002

Status

Not Affected

Vendor Statement

The vulnerability that is being referred, is for the firewalls that monitor the application layer data and open the ports. In IBM Firewall's Dynamic PASV ftp, the filter rules for data connections are activated dynamically by monitoring the ftp control connection. The activation of these rules is state based, where in the filter rule needed for a data connection is opened only after the "PASV ----> 227........" handshake completes between the end points. That is, firewall considers "227 ..." reply to a ftp client as valid, only after the corresponding "PASV" command from that ftp client is observed. So, I think IBM-SecureWay firewall is not vulnerable to the attack being referred.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Intoto Not Affected

Updated:  October 09, 2002

Status

Not Affected

Vendor Statement

iGateway firewall's TCP re-transmission engine does not let partially acknowledged TCP segment's re-transmissions pass through the firewall, which is a root cause of this vulnerability. This design philosophy makes iGateway firewall withstand these kinds of TCP re-transmission attacks.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IP Filter Affected

Updated:  October 16, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IPFilter FTP update. Synopsis: In kernel FTP proxy allows access to other ports on FTP server. Versions affected: All prior to 3.4.29 Affected use: proxying to ftp servers. Recommended Action: Upgrade to 3.4.29 if running a version prior and using proxy function to provide FTP server access. Details. It is possible to fool the ftp proxy in earlier versions of IPFilter into thinking that retransmitted text from the ftp server (or client) is a new response and should be processed as such. For people using the inbuilt proxy in the kernel to provide access to ftp servers, this can be used to open up access to any port on the ftp server. For this to be a problem, your ftp server must respond in a manner that essentially echoes, verbatim, text sent to it on the end of a line. See below for a list of known good/bad FTP daemons. If yours isn't known to be good or bad then you are best assuming that it is bad. Monitoring. If you cannot upgrade immediately, or would otherwise like to make sure you can "keep tabs" on this problem, despite the state/nat table entries not being created by a rule, they can still be logged. If you are using ipmon to record all log transactions (-a), its output will include NAT & state table entries created to enable the rogue connection through. If you are not collecting log information on NAT or state transactions, you can enable this by adding "-a" to ipmon's command line options at startup or optionally, record this information to a separate file (with a recommended separate .pid file) like this: ipmon -P /var/run/ipmon-extra.pid -o NS /var/log/ipfnatstate Workarounds. If you cannot upgrade IPFilter, you are advised to examine how your FTP server software behaves. Known safe FTP server software, in this regard are: + ftpd in Sun Solaris/SunOS + ftpd in FreeBSD (upto and including 4.5) + ftpd in OpenBSD (upto and including 3.1) + wsftpd FTP server software that is known to support this attack: + proftpd + warftpd + serv-u + pureftpd + publicfile + ftpd in NetBSD (upto and including 1.6) Another safe work around is to use a user space ftp proxy, such as that provided with the Firewall Toolkit. Discussion on how to do this is beyond the scope of this document. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) iD8DBQE9qaNYP7JIXtvLbFURAuB2AKCKJ0gWwEX3SnYMq/ZlEt8JcRABhACeJkvp XRz08wWGODquWd6u3dJv7Zk= =UuHZ -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

IP Filter (ipf) is included with FreeBSD and NetBSD, although ipfw is the somewhat more default firewall for FreeBSD. Please see: OpenBSD vendor statement http://www.kb.cert.org/vuls/id/AAMN-5EQPEF NetBSD vendor statement http://www.kb.cert.org/vuls/id/AAMN-5ERP4W

Microsoft Corporation Not Affected

Notified:  July 23, 2002 Updated: October 09, 2002

Status

Not Affected

Vendor Statement

Our investigations have shown that this vulnerability relies on the firewall behavior to inspect TCP resend packets. ISA makes the inspection in user mode, above the TCP/IP stack, and the resend packets will be ignored silently by TCP/IP and will not pass to ISA inspection (in this case FTP application filter inspection).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NEC Corporation Not Affected

Notified:  July 23, 2002 Updated: March 07, 2003

Status

Not Affected

Vendor Statement

sent on December 4, 2002 [Router Products] IX 1000 / 2000 / 5000 Series - is NOT vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Affected

Updated:  November 11, 2002

Status

Affected

Vendor Statement

I've done some more testing of the proxy and have come to the conclusion that whilst the proxy in ipfilter currently shipped may be vulnerable to the attack described by cert, I don't have an FTP daemon which responds in a manner that makes the attack possible. I've tested against Solaris, SunOS4 and NetBSD. The proxy in 3.4.29 drops the packets that cause the problem with this exploit.

I've tested IPFilter 3.4.27 (same as in -current and is scheduled for 1.6). Whilst this version does allow the sel-ack'd 227 back through, it does not appear to create the necessary state/nat sessions to allow the second data connection through.

In short, IPFilter 3.4.27 does not appear to be vulnerable to *this* exploit. It may be possible to write others which are, but the FTP proxy in IPFilter will progressively become stricter in what it allows, further narrowing opportunities to exploit it in this kind of manner (as can already be seen with 3.4.29.)

[Darren Reed]

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

NetBSD includes IP Filter. Please see: NetBSD Security Advisory 2002-024: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-024.txt.asc OpenBSD vendor statement: http://www.kb.cert.org/vuls/id/AAMN-5EQPEF IP Filter vendor statement: http://www.kb.cert.org/vuls/id/AAMN-5ERQF6

NetScreen Not Affected

Notified:  September 18, 2002 Updated: October 04, 2002

Status

Not Affected

Vendor Statement

NetScreen has examined the behavior of NetScreen firewalls when exposed to this traffic, and our products are not vulnerable to this specific attack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nortel Networks Not Affected

Notified:  July 23, 2002 Updated: October 11, 2002

Status

Not Affected

Vendor Statement

The following Nortel Networks products use state-based firewall technology but are not affected by the vulnerabilities noted in VU#328867:

The Alteon Switched Firewall is not affected.

There are no issues with the Contivity Platform, this includes the:

Contivity 600/1500/1600/2000/2500/2600/4500/4600
Contivity 1010/1050/1100
Contivity 1700/2700
Contivity software releases 3.5 and beyond including the CVC Client
The Shasta 5000 Broadband Services Node is not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD Not Affected

Notified:  July 23, 2002 Updated: October 16, 2002

Status

Not Affected

Vendor Statement

This says OpenBSD, but should not. The problem is in ipf. We told our users for years and years to not use the ipf ftp proxy. That said, we do not have ipf anymore. We've got our own packet filter, pf, which has a userland side proxy agent which is not vulnerable to this at all.

I didn't install an ipf machine, but from looking at the code, I'm pretty sure it's vulnerable to this attack. So I guess the vendor statement could mention that and urge people to upgrade from pre-3.0 versions :) pf is not vulnerable, since it's not aware of the FTP protocol. ftp-proxy is used only for FTP clients behind the firewall. Even if you're running the reverse-ftp-proxy patch (for servers behind pf), it's not vulnerable, since it can't modify pf rules.

OpenBSD >=3.0 uses pf, these notes do not apply to OpenBSD up to 2.9 which used ipf.

In the presence of fragments, it is impossible to fully check the transport checksum without full reassembly (which is also susceptible to a memory resource attack). The OpenBSD PF firewall includes a variety of mechanisms that each can minimize the exposure to not only this attack but a variety of resource starvation attacks:

  1. The use of the normalizer via a SCRUB rule can resolve many ambiguities in the traffic stream. The normalized traffic results in the identical interpretation of the packet from the end host and the firewall.


  2. A dynamically resizeable state table which can be tuned during runtime (within the constraints of kernel memory). ipf, which was included up to OpenBSD 2.9, was vulnerable to this attack.


  3. A choice of several predefined state optimization levels. By enabling the 'Aggressive' state optimization, idle states will be removed from the state table at a much higher rate.


  4. Run-time control over individual timeouts. The administrator can reduce the 'tcp.first' and the 'udp.first' timeouts to as low as her environment deems acceptable (reducing it below 30s may result in additional log entries as valid connections will start to be expired before the reception of the SYN-ACK).


  5. The upcoming OpenBSD 3.2 supports the specification of individual timeouts and the limitation of the quantity of states on a per rule granularity. Thus the administrator can limit her overall exposure to a resource starvation attack down to other connections which match the same rule as the attack.


  6. connection tracking can be enabled or disabled on a per-rule basis, and thus is of course disableable (sp?) completely, too.


For ftp, we have an userland ftp-proxy(8) daemon that is not vulnerable to any of these attacks for the obvious reasons. ipf, which was included up to OpenBSD 2.9, contains a in-kernel ftp proxy which is significantly flawed in this way. However, we did not compile that into the default system because we considered it so flawed.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Versions of OpenBSD prior to 3.0 included IP Filter. See also: IP Filter vendor statement http://www.kb.cert.org/vuls/id/AAMN-5ERQF6 NetBSD vendor statement http://www.kb.cert.org/vuls/id/AAMN-5ERP4W

Secure Computing Corporation Not Affected

Notified:  September 26, 2002 Updated: October 16, 2002

Status

Not Affected

Vendor Statement

This is the official Secure Computing response to CERT Vulnerability Note VU# 328867 "Multiple vendors' firewalls do not adequately keep state of FTP traffic." GAUNTLET (tm) FIREWALL & VPN (5.X and 6.0) Not vulnerable. GAUNTLET E-PPLIANCE FIREWALL & VPN (EPL 1.X and 2.0) Not vulnerable. SIDEWINDER(tm) FIREWALL & VPN (all releases including SIDEWINDER APPLIANCE) Not vulnerable. Secure Computing's defense-in-depth architecture including the SecureOS(tm) operating system and application level proxies protect against this attack and another recent CERT vulnerability that affected lesser firewalls. Please see http://www.securecomputing.com/index.cfm?skey=232 for additional information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SecureWorx Not Affected

Updated:  March 05, 2003

Status

Not Affected

Vendor Statement

We hereby attest that SecureWorx Basilisk Gateway Security product suite (Firmware version 3.4.2 or later) is NOT VULNERABLE to FTP Vulnerability VU#328867.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Stonesoft Not Affected

Notified:  September 26, 2002 Updated: October 08, 2002

Status

Not Affected

Vendor Statement

Stonesoft's StoneGate high availability firewall and VPN product handles the FTP protocol with its FTP protocol agent. No versions of StoneGate and its FTP protocol agent are vulnerable to the attacks described in this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Microsystems Inc. Not Affected

Notified:  September 24, 2002 Updated: October 08, 2002

Status

Not Affected

Vendor Statement

The in.ftpd(1M) daemon shipped with Solaris 2.6, 7, 8, and 9 is not affected by the issue described here.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Symantec Not Affected

Notified:  July 23, 2002 Updated: October 28, 2002

Status

Not Affected

Vendor Statement

Symantec has fully tested against this issue and is pleased to report this issue does not impact any of our currently supported products. Versions/Platforms Not Vulnerable: Symantec Enterprise Firewall Symantec Enterprise VPN Symantec VelociRaptor Symantec Gateway Security

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

WatchGuard Affected

Updated:  October 10, 2002

Status

Affected

Vendor Statement

After analyzing the FTP issue described in VU#3328867, WatchGuard's Rapid Response team found that WatchGuard's Firebox Model II and III families of products are not affected. However, WatchGuard SOHO products running firmware v5.1.6 and earlier, as well as WatchGuard Vclass/RSSA products using v3.2 SP1 and earlier, are susceptible to this type of attack. WatchGuard has released patches for both the Vclass and SOHO products to correct this vulnerability. For WatchGuard SOHO Users: SOHO firmware v5.1.7 and SOHO 6 firmware v6.0.14, both released in September, correct this FTP vulnerability. Registered LiveSecurity users can download these firmware upgrades from our LiveSecurity Web site. For WatchGuard Vclass and Legacy RSSA Users: Hotfix 1 for WatchGuard Vclass v3.2 SP1, released in July, corrects this vulnerability. However, we recommend Vclass and Legacy RSSA users download the Hotfix 2 to correct this issue (Hotfixes are cumulative). Registered LiveSecurity users can download this firmware upgrade from our LiveSecurity Web site. Legacy RSSA users should obtain Hotfix 2 from our Legacy RSSA software download center.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

ZyXEL Unknown

Updated:  March 07, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

It has been reported that the ZyXEL ZyWALL is not vulnerable, possibly if running firmware version 3.50 or higher. This is a annoucement that our ZyWALL firewall series, including ZYWALL-1, ZyWALL-10, ZyWALL-50 and ZyWALL-100, are not vulnerable to the special FTP attack reported in CERT website (http://www.kb.cert.org/vuls/id/328867). ZyWALL firmware from day one v3.50 can prevent from this FTP vulnerability.

View all 30 vendors View less vendors