[INFOCON] - UNIRAS Brief - 383/02 - NISCC - Potential craftedpackets vulnerability in firewalls

2002-10-31 Thread Wanja Eric Naef [IWS] 


-Original Message-
From: UNIRAS (UK Govt CERT) [mailto:uniras@;niscc.gov.uk] 
Sent: 31 October 2002 14:28
To: [EMAIL PROTECTED]
Subject: UNIRAS Brief - 383/02 - NISCC - Potential crafted packets
vulnerability in firewalls

 
-BEGIN PGP SIGNED MESSAGE-

-

--
   UNIRAS (UK Govt CERT) Briefing Notice - 383/02 dated 31.10.02  Time:
14:25
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination
Centre)
-

-- 
  UNIRAS material is also available from its website at
www.uniras.gov.uk and
 Information about NISCC is available from www.niscc.gov.uk
-

--

Title
=

NISCC Security Advisory:

Potential crafted packets vulnerability in firewalls

Detail
== 

There have been reports to several major CERTs of attacks that can
bypass packet
filter firewalls. There has also been discussion on Bugtraq (see 
http://online.securityfocus.com/archive/1/296558/2002-10-19/2002-10-25/1
). 
In this thread  the Linux 2.4.19, Sun Solaris 5.8, FreeBSD 4.5 and
Microsoft 
Windows NT 4.0 are identified as vulnerable.

These attacks use specially crafted TCP packets with the SYN
(synchronise)
and FIN (final) flags set. Although crafted packets of this kind are not

uncommon in probes on firewalls as a means of identifying the operating
system,
it appears that some packet filter firewalls will forward such packets
because
the FIN flag is interpreted as a request to end the TCP session, while
the 
targeted host on the internal network interprets the SYN flags as a
request to
start a TCP session. This technique has been used to effect a SYN flood
denial
of service attack on the targeted host.

To prevent this type of attack, packets that do not form part of the
normal TCP 
state should be filtered. Expected states are packets with the following
flags 
set: SYN,  ACK (acknowledgement), SYN/ACK, RST (reset), RST/ACK, FIN and
FIN/ACK.
The PSH (push) and URG (urgent) flags may also be set in packets but
they are 
used to prioritise processing of a packet. It follows that flag
combinations such
as SYN/FIN, SYN/RST, RST/FIN and a packet with no flags set (called
null) should
be treated as anomalous and should be filtered.

Certain types of firewall are not vulnerable to this type of attack,
namely circuit
gateway (or proxy) or application proxy firewalls. These firewalls do
not forward
TCP packets; they establish a separate connection between the firewall
and the
recipient for the services proxied.

If your firewall does not support filtering of TCP flags and is a packet
filter
firewall, you should contact your firewall vendor to determine if your
firewall
is vulnerable. A workaround solution in case the firewall is vulnerable
is to install 
another firewall in front of the vulnerable firewall that does provide
flage filtering 
functionality.

-

--

For additional information or assistance, please contact the HELP Desk
by 
telephone or Not Protectively Marked information may be sent via EMail
to:

[EMAIL PROTECTED]
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686

-

--
Reference to any specific commercial product, process, or service by
trade 
name, trademark manufacturer, or otherwise, does not constitute or imply

its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The
views 
and opinions of authors expressed within this notice shall not be used
for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they
shall 
not be liable for any loss or damage whatsoever, arising from or in
connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST) 
and has contacts with other international Incident Response Teams (IRTs)
in 
order to foster cooperation and coordination in incident prevention, to
prompt 
rapid reaction to incidents, and to promote information sharing amongst
its 
members and the community at large. 
-

--

-BEGIN PGP SIGNATURE-
Version: PGP 7.0.4

iQCVAwUBPcE4gIpao72zK539AQHWRQQAt8vYN7Lns+NPQaP4ISH0e5Ppn/W3uo7i
CATo9Ukr/aCQ+rHC5X3zH2lyM8tz4F9ze7R2v1wOwgNMNFDK8TgjLmhlPV/NB9R5
LnXlUiulAJ5PytNn6osEDRzXzX77QKyTOuD2c/yAOqJGyPiShKMgpWgp72B0Jz37
0LsLQDo7hN8=
=4RHU
-END PGP SIGNATURE-




IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk

[INFOCON] - News 10/31/02

2002-10-31 Thread Wanja Eric Naef [IWS] 

_

  London, Thursday, October 31, 2002
_

INFOCON News
_

IWS - The Information Warfare Site
http://www.iwar.org.uk

_


-

To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body

To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe
infocon" in the body

-

_


  
  [News Index]
  

[1] Businesses overlook intellectual property security, ASIS reports
[2] BCS presses Whitehall on new security rules
[3] Transformation driving DOD IT
[4] Was it hacking or public property?
[5] Islamic site's peaceful path  

[6] Country bodies threaten ICANN walkout
[7] Merkur Worm Hits File Swappers
[8] Digital copyright law on trial
[9] Australia is sure al-Qaida was in on Bali bombing
[10] 'Internal Look' to Test CENTCOM Command and Control Capabilities

[11] US may set up MI5-style spy agency in security shake-up
[12] Outlook bright for many e-tailers
[13] Kournikova author loses appeal
[14] Aust police, manufacturers in standoff over device security
[15] (ZA) Hacker continues trail of malice

[16] Verizon settles lawsuit against spammer
[17] MasterCard to send anti-skimming cards to Australia

_

News
_


[1] Businesses overlook intellectual property security, ASIS reports

Access Control & Security Systems, Oct 1, 2002  
   
Businesses must make information protection a higher priority, contends
a recent report by ASIS International, through its Council on
Safeguarding Proprietary Information.

The report includes a Proprietary Information Loss Survey conducted
among CEOs of Fortune 1,000 companies and of 600 small and mid-sized
companies that belong to the U.S. Chamber of Commerce. Responses suggest
proprietary information and intellectual property (IP) losses totalling
between $53 billion and $59 billion from July 1, 2000 to June 30, 2001.

http://www.industryclick.com/magazinearticle.asp?magazineid=119&releasei
d=10640&magazinearticleid=159088&siteid=2 

 

[2] BCS presses Whitehall on new security rules 

Thursday 31 October 2002  
 
The BCS is pressing the Government on legislation which could lead to
the regulation of the IT security sector, writes John Kavanagh.
 
The society is monitoring the working of the new Private Securities
Industries Act and the associated Security Industry Authority, which is
focusing initially on the activities of security firms, wheel clampers
and private detectives. The BCS wants to ensure that if the authority
turns its attention to IT security any regulation it sets in motion will
be appropriate.

The legislation has caused controversy by being unclear on whether it
covers IT security specialists, and whether IT security should be
regulated at all. Activities covered by the Act include security
consultancy - defined partly as advising on security precautions in
relation to any risk to property or person.

http://www.cw360.com/bin/bladerunner?REQUNIQ=1036073088&REQSESS=De57013&;
REQHOST=site1&2131REQEVENT=&CFLAV=1&CCAT=2&CCHAN=28&CARTI=117101 

 

[3] Transformation driving DOD IT
BY Dan Caterinicchia 
Oct. 31, 2002 

Driven by Secretary Donald Rumsfeld's vision of transformation, the
Defense Department's fiscal 2003 information technology budget is more
than $26 billion and should grow steadily at 5 percent for the next
decade, according to the Government Electronics and Information
Technology Association (GEIA).

DOD's transformation activities affect "every nook and cranny of the
services" and are the main driver of IT budget dollars, said Mike Kush,
director of public-sector marketing for Identix Inc. and GEIA's DOD IT
forecast chairman. He added that the DOD should be receiving an
increasing amount of IT funding in the future, "but the percentage is
not necessarily going up."

http://www.fcw.com/fcw/articles/2002/1028/web-budget-10-31-02.asp 

 

[4] Was it hacking or public property?
 
Reuters
October 29, 2002, 5:51 AM PT

A Swedish company has filed cri