IBM Information for VU#328867
Multiple vendors' firewalls do not adequately keep state of FTP traffic
The vulnerability that is being referred, is for the firewalls that monitor the application layer data and open the ports. In IBM Firewall's Dynamic PASV ftp, the filter rules for data connections are activated dynamically by monitoring the ftp control connection. The activation of these rules is state based, where in the filter rule needed for a data connection is opened only after the "PASV ----> 227........" handshake completes between the end points. That is, firewall considers "227 ..." reply to a ftp client as valid, only after the corresponding "PASV" command from that ftp client is observed. So, I think IBM-SecureWay firewall is not vulnerable to the attack being referred.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.