Hello, We recently ran an external Nessus scan of our network. We have a very simple network, with an Internal LAN, a DMZ, and an Internet connection, all handled by a CheckPoint FW.
Our scan didn't find anything interesting about real hosts. Instead, it gave us lots of reports of Nessus ID : 12118, mostly for hosts that don't even exist. I assume this is trying to tell me something about my firewall setup. We are running a recent and patched FW-1, and we have the global properties set to drop out of state packets. So I'm not sure how this applies to us. Even if a packet has the established bit set, I don't think it should get through. Could anything cause a false positive here? Here's the info... The remote host seems vulnerable to a bug wherein a remote attacker can circumvent the firewall by setting the ECE bit within the TCP flags field. At least one firewall (ipfw) is known to exhibit this sort of behavior. Known vulnerable systems include all FreeBSD 3.x ,4.x, 3.5-STABLE, and 4.2-STABLE. Solution: If you are running FreeBSD 3.X, 4.x, 3.5-STABLE, 4.2-STABLE, upgrade your firewall. If you are not running FreeBSD, contact your firewall vendor for a patch. See also: http://www.securityfocus.com/bid/2293/ Risk Factor: High CVE : CVE-2001-0183 BID : 2293 Nessus ID : 12118 _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
