CVE-2007-1653 in GlowWorm
Summary
by MITRE
GlowWorm FW before 1.5.3b4 allows remote attackers to cause a denial of service (kernel panic) via certain DNS responses that trigger infinite recursion in TrueDNS packet parsing, as originally observed with certain login.yahoo.com responses.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/27/2018
The vulnerability identified as CVE-2007-1653 affects GlowWorm Firewall versions prior to 1.5.3b4 and represents a critical denial of service flaw that can lead to kernel panics on affected systems. This vulnerability specifically manifests when the firewall processes certain DNS responses that contain recursive packet structures within the TrueDNS parsing component. The issue was originally observed in responses from login.yahoo.com, indicating that malicious actors could exploit this weakness by crafting specially formatted DNS replies that would trigger the problematic code path in the firewall's packet processing engine.
The technical root cause of this vulnerability lies in the improper handling of DNS packet structures within the TrueDNS parsing module of the GlowWorm firewall. When the system receives DNS responses containing recursive references or malformed packet sequences, the parsing logic enters an infinite recursion loop that exhausts system resources and ultimately causes the kernel to panic. This type of vulnerability falls under CWE-835, which specifically addresses infinite loops or recursion without proper termination conditions, making it a classic example of a resource exhaustion attack vector. The flaw demonstrates poor input validation and inadequate bounds checking in the DNS processing pipeline, allowing malformed data to cascade through the system's parsing logic without proper safeguards.
From an operational perspective, this vulnerability presents a significant risk to network infrastructure security as it allows remote attackers to disrupt firewall operations without requiring authentication or privileged access. The ability to trigger kernel panics through DNS responses means that attackers can effectively disable network protection mechanisms, potentially exposing underlying network segments to further attacks. The fact that this vulnerability was observed in responses from a major service like Yahoo demonstrates its real-world applicability and the potential for widespread impact across networks that rely on standard DNS resolution patterns. Network administrators face the challenge of defending against attacks that exploit fundamental protocol parsing mechanisms rather than application-level vulnerabilities.
The mitigation strategy for this vulnerability requires immediate patching of all affected GlowWorm Firewall systems to version 1.5.3b4 or later, which includes fixes for the infinite recursion handling in the TrueDNS component. Organizations should also implement network monitoring to detect unusual DNS traffic patterns that might indicate exploitation attempts, though the nature of the attack means that detection may be challenging since it occurs at the kernel level. Network segmentation and implementing DNS filtering mechanisms can provide additional layers of protection, while regular security assessments should verify that similar recursion vulnerabilities do not exist in other network infrastructure components. The vulnerability also highlights the importance of proper input validation in network protocol implementations and serves as a reminder that even fundamental network services like DNS processing require rigorous security testing to prevent denial of service attacks that can bring down entire security infrastructures.