OpenConnect Information for VU#552561

OpenConnect WebConnect MS-DOS Device Name Denial of Service

Overview

When requesting a DOS device name in the URL, the server may stop responding to any further requests.

I. Description

From the OpenConnect webpage:

WebConnect is client-server based software that provides secure browser based emulation to mainframe, midrange and UNIX systems. WebConnect enables enterprise organizations to provide suppliers, partners and employees with secure access to vital applications and information. Enterprises increase productivity and profits, and retain all the advantages of secure host connectivity to new and existing applications in "real-time."

Because WebConnect is non-intrusive, it provides secure SSL encrypted information migration and access without requiring modification to the host. With its patented secure, "persistent connectivity" technology, only WebConnect is capable of supporting tens of thousands of concurrent browser-based users.

WebConnect 6.4.4 and 6.5 do not check for DOS device names within requested URLs. This may allow a denial of service attack by requesting a DOS device name. This affects only the Windows versions of WebConnect. This can affect all http services provided by WebConnect.

II. Impact

Remote attackers could block access to WebConnect by causing the service to become unresponsive.

III. Solution

Update to a corrected version of WebConnect

This vulnerability has been corrected in WebConnect versions 6.4.5 and 6.5.1. Licensed users of WebConnect may contact OpenConnect Technical Support to receive these updated versions.

Credit

Thanks to Dennis Rand of the Danish Computer Incident Response Team for reporting this vulnerability.

This document was written by OpenConnect WebConnect Development based primarily on information provided by Dennis Rand

Vendor Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.