Reported August 20, 2002, by Aaron Tan Lu.



VERSION AFFECTED

 

  • Tiny Personal Firewall 3.0 for Windows

DESCRIPTION

 

Two Denial of Service (DoS) conditions exist in Tiny Personal Firewall 3.0 for Windows. The first vulnerability affects the default installation and use of the activity-logger tab. If an attacker uses multiple SYN, UDP, Internet Control Message Protocol (ICMP), and TCP full Connect to scan the host's ports while the vulnerable user browses the host's Personal Firewall Agent module firewall Log tab, a system crash occurs, consuming 100 percent of the system's resources. The second DoS condition is similar to the first, but occurs in the HIGH Security setting when an attacker uses a spoofed source addressing the firewall’s IP address.

 

VENDOR RESPONSE

 

The vendor, Tiny Software, has been notified, but has not yet released a patch for this vulnerability.

 

CREDIT
Discovered by Aaron Tan Lu of NSSI Research Labs.