search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenConnect Webconnect MS-DOS device name denial-of-service

Vulnerability Note VU#552561

Original Release Date: 2005-02-21 | Last Revised: 2005-02-21

Overview

OpenConnect WebConnect may stop responding after processing an HTTP request with an MS-DOS device name in it.

Description

OpenConnect Webconnect provides secured web access and emulation services for backend mainframes and UNIX servers. Versions of Webconnect prior to 6.4.5 and 6.5.1 running on Windows OS may stop responding after processing an HTTP GET or POST request with an MS-DOS device name in it. All HTTP and emulation services supported by Webconnect may be affected after such an attack.

Impact

OpenConnect WebConnect running on Windows OS may experience a denial-of-service condition after processing MS-DOS device names in HTTP requests.

Solution

Affected sites should upgrade to a corrected version of WebConnect, versions 6.4.5 and 6.5.1. Licensed users can send mail to OpenConnect technical support mailto: ocs_support@oc.com, or call +1-972-888-0678.

Vendor Information

552561
 
Affected   Unknown   Unaffected

OpenConnect

Notified:  December 21, 2004 Updated:  February 20, 2005

Status

  Vulnerable

Vendor Statement

Vulnerability Note VU#552561

OpenConnect WebConnect MS-DOS Device Name Denial of Service

Overview

When requesting a DOS device name in the URL, the server may stop responding to any further requests.

I. Description

From the OpenConnect webpage:

WebConnect is client-server based software that provides secure browser based emulation to mainframe, midrange and UNIX systems. WebConnect enables enterprise organizations to provide suppliers, partners and employees with secure access to vital applications and information. Enterprises increase productivity and profits, and retain all the advantages of secure host connectivity to new and existing applications in "real-time."

Because WebConnect is non-intrusive, it provides secure SSL encrypted information migration and access without requiring modification to the host. With its patented secure, "persistent connectivity" technology, only WebConnect is capable of supporting tens of thousands of concurrent browser-based users.


WebConnect 6.4.4 and 6.5 do not check for DOS device names within requested URLs. This may allow a denial of service attack by requesting a DOS device name. This affects only the Windows versions of WebConnect. This can affect all http services provided by WebConnect.

II. Impact

Remote attackers could block access to WebConnect by causing the service to become unresponsive.

III. Solution

Update to a corrected version of WebConnect

This vulnerability has been corrected in WebConnect versions 6.4.5 and 6.5.1. Licensed users of WebConnect may contact OpenConnect Technical Support to receive these updated versions.

Credit

Thanks to Dennis Rand of the Danish Computer Incident Response Team for reporting this vulnerability.

This document was written by OpenConnect WebConnect Development based primarily on information provided by Dennis Rand

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Licensed users can send mail to OpenConnect technical support mailto: ocs_support@oc.com, or call +1-972-888-0678.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Dennis Rand of the Danish Computer Incident Response Team for reporting this vulnerability.

This document was written by Jeff S Havrilla, with contributions from Dennis Rand and the OpenConnect WebConnect Development team.

Other Information

CVE IDs: CVE-2004-0466
Severity Metric: 1.06
Date Public: 2005-02-21
Date First Published: 2005-02-21
Date Last Updated: 2005-02-21 17:17 UTC
Document Revision: 19

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.