Reported August 20, 2002, by Aaron Tan Lu.
VERSION
AFFECTED
Tiny Personal Firewall 3.0 for Windows
DESCRIPTION
Two Denial of Service (DoS) conditions exist in Tiny Personal Firewall 3.0 for Windows. The first vulnerability affects the default installation and use of the activity-logger tab. If an attacker uses multiple SYN, UDP, Internet Control Message Protocol (ICMP), and TCP full Connect to scan the host's ports while the vulnerable user browses the host's Personal Firewall Agent module firewall Log tab, a system crash occurs, consuming 100 percent of the system's resources. The second DoS condition is similar to the first, but occurs in the HIGH Security setting when an attacker uses a spoofed source addressing the firewall’s IP address.
VENDOR
RESPONSE
The
vendor, Tiny Software, has been notified, but has not yet released a patch for this vulnerability.
CREDIT
Discovered by Aaron Tan Lu of NSSI Research Labs.