-----Original Message-----
From: UNIRAS (UK Govt CERT) [mailto:uniras@;niscc.gov.uk]
Sent: 31 October 2002 14:28
To: [EMAIL PROTECTED]
Subject: UNIRAS Brief - 383/02 - NISCC - Potential crafted packets
vulnerability in firewalls
-----BEGIN PGP SIGNED MESSAGE-----
-
------------------------------------------------------------------------
----------
UNIRAS (UK Govt CERT) Briefing Notice - 383/02 dated 31.10.02 Time:
14:25
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination
Centre)
-
------------------------------------------------------------------------
----------
UNIRAS material is also available from its website at
www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
-
------------------------------------------------------------------------
----------
Title
=====
NISCC Security Advisory:
Potential crafted packets vulnerability in firewalls
Detail
======
There have been reports to several major CERTs of attacks that can
bypass packet
filter firewalls. There has also been discussion on Bugtraq (see
http://online.securityfocus.com/archive/1/296558/2002-10-19/2002-10-25/1
).
In this thread the Linux 2.4.19, Sun Solaris 5.8, FreeBSD 4.5 and
Microsoft
Windows NT 4.0 are identified as vulnerable.
These attacks use specially crafted TCP packets with the SYN
(synchronise)
and FIN (final) flags set. Although crafted packets of this kind are not
uncommon in probes on firewalls as a means of identifying the operating
system,
it appears that some packet filter firewalls will forward such packets
because
the FIN flag is interpreted as a request to end the TCP session, while
the
targeted host on the internal network interprets the SYN flags as a
request to
start a TCP session. This technique has been used to effect a SYN flood
denial
of service attack on the targeted host.
To prevent this type of attack, packets that do not form part of the
normal TCP
state should be filtered. Expected states are packets with the following
flags
set: SYN, ACK (acknowledgement), SYN/ACK, RST (reset), RST/ACK, FIN and
FIN/ACK.
The PSH (push) and URG (urgent) flags may also be set in packets but
they are
used to prioritise processing of a packet. It follows that flag
combinations such
as SYN/FIN, SYN/RST, RST/FIN and a packet with no flags set (called
null) should
be treated as anomalous and should be filtered.
Certain types of firewall are not vulnerable to this type of attack,
namely circuit
gateway (or proxy) or application proxy firewalls. These firewalls do
not forward
TCP packets; they establish a separate connection between the firewall
and the
recipient for the services proxied.
If your firewall does not support filtering of TCP flags and is a packet
filter
firewall, you should contact your firewall vendor to determine if your
firewall
is vulnerable. A workaround solution in case the firewall is vulnerable
is to install
another firewall in front of the vulnerable firewall that does provide
flage filtering
functionality.
-
------------------------------------------------------------------------
----------
For additional information or assistance, please contact the HELP Desk
by
telephone or Not Protectively Marked information may be sent via EMail
to:
[EMAIL PROTECTED]
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686
-
------------------------------------------------------------------------
----------
Reference to any specific commercial product, process, or service by
trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The
views
and opinions of authors expressed within this notice shall not be used
for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall
not be liable for any loss or damage whatsoever, arising from or in
connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST)
and has contacts with other international Incident Response Teams (IRTs)
in
order to foster cooperation and coordination in incident prevention, to
prompt
rapid reaction to incidents, and to promote information sharing amongst
its
members and the community at large.
-
------------------------------------------------------------------------
----------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQCVAwUBPcE4gIpao72zK539AQHWRQQAt8vYN7Lns+NPQaP4ISH0e5Ppn/W3uo7i
CATo9Ukr/aCQ+rHC5X3zH2lyM8tz4F9ze7R2v1wOwgNMNFDK8TgjLmhlPV/NB9R5
LnXlUiulAJ5PytNn6osEDRzXzX77QKyTOuD2c/yAOqJGyPiShKMgpWgp72B0Jz37
0LsLQDo7hN8=
=4RHU
-----END PGP SIGNATURE-----
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
