-- Corsaire Limited Security Advisory -- Title: Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SNMP Date: 21.01.02 Application: Symantec Enterprise Firewall (SEF) 6.5.x Environment: WinNT, Win2000 Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution Reference: c020121-001 -- Scope -- The aim of this document is to clearly define some issues related to potential data loss from the Notify Daemon within the Symantec Enterprise Firewall (SEF) environment as provided by Symantec [1]. Note: These issues do NOT appear to be directly related to recent SNMP issues announced by CERT as advisory CA-2002-03 [2]. -- History -- Vendor notified: 21.01.02 Document released: 21.02.02 -- Overview -- The SEF firewall provides multiple methods of alerting an administrator to firewall log events; audio, external executables, mail, pager and SNMP. This functionality is provided by a subsystem known as the Notify daemon. When using the SNMP transport method, it is common to send traps back to a network management station (NMS) where they can be centrally coordinated and managed. When the log entries are larger than a certain threshold (1024-bytes) then the Notify daemon starts to discard alerts. -- Analysis -- If a notification rule is configured to use SNMPv1 to generate alerts for all event types that are logged, when the notify daemon begins to drop alerts, this state is logged within the local firewall audit trail as: notifyd[0]: 606 failed to notify: transport=SNMP1, priority=Informational It is worth noting that this alert is not subsequently passed on via SNMP. If SNMP is used to alert an administrator of potential issues, then there is the risk that the over sized entries will be lost. -- Recommendations -- The behaviour of the SNMP Notify daemon should be revised to increase the size of the log messages accepted, up to the maximum allowed by the SNMP standard. Additionally, the daemon should also be ammended to truncate the log messages if over size and then transmit the shortened entry rather than discarding it. -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2002-0302 to this issue (http://cve.mitre.org). -- References -- [1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID =47&PID=9674250&EID=0 [2] http://www.cert.org/advisories/CA-2002-03.html -- Revision -- a. Initial release. b. Revised detail to include clearer explanation of issue. c. Revised detail to include clearer explanation of issue. d. Revised to include CVE reference. -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. Copyright 2002 Corsaire Limited. All rights reserved.