IBM Information for VU#539363

State-based firewalls fail to effectively manage session table resource exhaustion



Vendor Statement

IBM Tivoli Firewall is not generally vulnerable to Denial of Service (DOS) attacks by session table filling. IBM firewall is not a full fledged stateful packet filter, but more like a Stateful-Inspection with Connection-Centric deterministic-filtering firewall.

When a connection is requested for dynamic PASV ftp traffic or RealAudio traffic, this connection must first meet connection filter requirements, then build an FBE (Function Block Entry) to maintain session state if the connection meets endpoint and protocol filter requirements. Vulnerability to the session table filling hack only exists in a limited way on the IBM Tivoli Firewall and only on tables maintained for these policies (PASV FTP and RealAudio). If this hack somehow gets past the filters in place that should specify endpoints, AND the tables are filled somehow, then and only
then will the PASV ftp and RealAudio traffic will be impacted (and this impact is limited to slowdown or stop, NOT security); all other functions of the IBM Tivoli Firewall will continue to perform as before.

Another connection type that grows a table based on connections is NAT dynamic map table when NAT is active. This table maintains dynamic list of many-to-one entries for each connection going from secure to non-secure network. The attack on this table can only occur with traffic from secure to non-secure network; and, since each connection must be maintained to fill the table, it is easy to identify source of attack since it is listed, allowed by rule, and must be maintained during the period of the attack (not to mention the fact that it originates on the secure side of the Firewall and must be explicitly configured by endpoints before connection requests will even enter the table).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.