VULHUB ™

IPFilter is prone to a denial of service when handling specially crafted packets. When IPFilter handles a TCP ACK packet (without a previous SYN packet to initiate the session) that has a bad checksum, it will add an "ESTABLISHED" session to its state table, which will time out in 120 hours. If numerous packets of this nature are sent, this may cause a denial of service as the state table will be filled with these sessions. This issue is known to occur when "keep state" rules are used without "flags S". The vendor advises users against employing this configuration. It is possible to trigger this condition with other packet sequences.

IPFilter is prone to a denial of service when handling specially crafted packets. When IPFilter handles a TCP ACK packet (without a previous SYN packet to initiate the session) that has a bad checksum, it will add an "ESTABLISHED" session to its state table, which will time out in 120 hours. If numerous packets of this nature are sent, this may cause a denial of service as the state table will be filled with these sessions. This issue is known to occur when "keep state" rules are used without "flags S". The vendor advises users against employing this configuration. It is possible to trigger this condition with other packet sequences.