RE: [FW1] New Outlook Exploit and Firewall-1/NAVFW

[Iona College Firewall Mailing List]

Title: RE: [FW1] New Outlook Exploit and Firewall-1/NAVFW

Filtering attachments based on file extension does not work at all, and there is a workaround for a GUI problem.  The attachment filtering in 1.04 works fine, but they broke it in 1.50.  We don't really have a good reason to upgrade so we are putting it off until we receive/test/confirm any new version of the software, which we have not yet even received!

 

If you specify, for example, that VBS attachments should be removed from e-mail (as we did after ILOVEYOU et al.) it allows the e-mail straight through.

 

I contacted Symantec about this and they put my name on a list (with many others I'm sure) to be contacted when it's repaired.  They also indicated that they has absolutely no intention of releasing a patch, and that it will be repaired in the next major release of the NAV Corporate Edition CDs.  I honestly think that's deplorable customer service, but what can you do about it?

 

Daniel Katz

-----Original Message-----
From: Ryan Finnesey [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 19, 2000 3:08 PM
To: 'Iona College Firewall Mailing List'
Subject: RE: [FW1] New Outlook Exploit and Firewall-1/NAVFW

Hi I am about to install Norton Anti-Virus for Firewalls.  How is it broken ?

Ryan V. Finnesey
Network Administrator
@tmosphere Interactive
1375 Broadway, 11th floor
New York, NY 10018
212 827 2507 phone
212 827 2525 fax
[EMAIL PROTECTED]

-----Original Message-----
From: Iona College Firewall Mailing List
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 18, 2000 8:59 PM
To: 'Fw-1-Mailinglist' (E-mail)
Subject: [FW1] New Outlook Exploit and Firewall-1/NAVFW

Hi all:
I'm sure by now you've seen the reports about the exploitability (err, the
latest) with Outlook/Outlook Express.  I've been doing some vulnerability
testing on our network and have found an interesting thing.  We're setup
using FW-1 4.0 SP5 SMTP CVP and Norton Anti-Virus 1.04 for firewalls(1.50 is
broken, so we don't use it).

In trying to send an e-mail from sendmail (8.9.3) using the bad "Date" line
downloaded from
http://www.securityfocus.com/data/vulnerabilities/exploits/outsploit.txt
I can't seem to get the e-mail to go through the firewall.  Every time I get
a log entry which looks like:
"293146"  "18Jul2000"  "20:49:41"  "daemon"  "10.1.1.1"  "log"  "reject"
"smtp"  "SUN_Sparc5"  "Mailbox"  "tcp"  "3"  "42386"  ""  ""  ""  ""  ""  ""
""  " agent mail dequeuer orig_from <[EMAIL PROTECTED]> orig_to
<[EMAIL PROTECTED]> from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> reason
Connection to Content Security Server failed" 

I find that the e-mail is stuck in the spool directory as an "R" which
generally means (I think) "Received, waiting for security server's
response." I have not yet done a trace on the connection between the NAVFW
machine and the Firewall, but it appears that NAV is dropping the connection
when the Date: line is sent.  This may be because there is non-ASCII data in
the e-mail but I really don't care so long as it doesn't get into my
network.

I'd like to know if there is anyone else who's received the same result,
with NAVFW or even another content filter.  If so, then all of us using
Content Filtering should thank Checkpoint for their protocol design or NAV
for dropping the connection!

Good luck all, see you when the next bug comes out!
Daniel Katz-Braunschweig
Network Specialist - Iona College
MCSE, CNA

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================