Sygate Security Bulletin ID SS20030129-0002

From: Elisha Riedlinger (elisha.riedlinger@SYGATE.COM)
Date: 01/31/03

  • Next message: Russ: "Re: IERK Survey - info"
    Date:         Thu, 30 Jan 2003 18:19:23 -0800
    From: Elisha Riedlinger <elisha.riedlinger@SYGATE.COM>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

                              Sygate Security Bulletin

    Sygate was made aware of an exposure in Sygate Personal Firewall 5.0 and
    Sygate Security Agent 3.0 on 1/23/2003 by David Fernandez Madrid
    (conde0@telefonica.net).

    Sygate Security Bulletin ID
    ----------------------------
    SS20030129-0002

    Description
    ------------

    The reporter of the vulnerability described a problem in which a remote
    attacker could gain access to a system with an open UDP port that was
    protected by Sygate Personal Firewall by sending specially crafted UDP
    packets
    in an attempt to bypass the firewall.

    Impact of this vulnerability
    -----------------------------

    Systems are not vulnerable to attempts by remote attackers to gain access to

    open UDP ports and bypass Sygate Personal Firewall or Sygate Security Agent
    if
    the attacker is on a different network than the system running Sygate
    Personal
    Firewall or Sygate Security Agent and NetBIOS Protection is enabled.

    If an attacker is on the same IP subnet as the system protected by Sygate
    Personal Firewall or Sygate Security Agent, or if NetBIOS Protection is
    disabled, this vulnerability can be taken advantage of.

    Affected software
    -----------------

    * Sygate Personal Firewall Pro 5.0
    * Sygate Personal Firewall 5.0
    * Sygate Security Agent 3.0

    Vulnerability resolution
    ------------------------

    This vulnerability condition pertaining to an attacker on a local network
    gaining access to open UDP ports and bypassing Sygate Personal Firewall or
    Sygate Security Agent is addressed by adding new firewall rules.
    Instructions
    for adding the new rules are detailed below.

    In conformance with RFPolicy, Sygate has created a security@sygate.com email
    address to supplement the previously existing security-alert@sygate.com
    email
    address. Additionally the policies for handling vulnerability advisories
    regarding Sygate products have been re-examined and improved to facilitate
    better communication between researchers and Sygate, Inc.

    Users of Sygate Personal Firewall should use the following instructions to
    add
    the NetBIOS name service and NetBIOS datagram service rules under the
    Advanced
    Rule Editor:

    For NetBIOS name service, use the following instructions to add a rule for
    port 137:

    1) Select the Add button.
    2) Enter Microsoft SQL Monitor Service as the Rule Description
    3) Select the Block this traffic radio button
    4) Select All network interface cards under Apply Rule to Network Interface
    5) Select Both on and off under Apply this rule during Screensaver Mode
    6) Select the Hosts tab at the top of the Advanced Rule Settings window
    7) Select All Addresses under Apply this rule to
    8) Select the Ports and Protocols tab at the top of the Advanced Rule
        Settings Window
    9) Select UDP under Protocol
    10) Select NETBIOS-NS(137) under Remote
    11) Manually enter 0-136,138-65535 under Local
    12) Select Both under Traffic Direction
    13) Select the Ok button

    For NetBIOS Datagram service, use the following instructions to add a rule
    for
    port 138:

    1) Select the Add button.
    2) Enter NetBIOS Datagram Service as the Rule Description
    3) Select the Block this traffic radio button
    4) Select All network interface cards under Apply Rule to Network Interface
    5) Select Both on and off under Apply this rule during Screensaver Mode
    6) Select the Hosts tab at the top of the Advanced Rule Settings window
    7) Select All Addresses under Apply this rule to
    8) Select the Ports and Protocols tab at the top of the Advanced Rule
    Settings
        Window
    9) Select UDP under Protocol
    10) Select NETBIOS-DGM(138) under Remote
    11) Manually enter 0-137,139-65535 under Local
    12) Select Both under Traffic Direction
    13) Select the Ok button

    System Administrators of Sygate Management Servers providing configurations
    to
    systems running Sygate Security Agent should use the following instructions
    to
    add rules to protect their systems:

    1) Select the Policies tab
    2) Select the Simple Rules sub tab
    3) Check out group for the new rule (repeat for additional groups or select

        the Global group to effect all groups)
    4) Ensure Active Directory Sharing and Network Neighborhood Sharing are not

        enabled
    5) Select the Advance Rules sub tab
    6) Expand the list of locations
    7) Select a location for the new rule (repeat for additional locations)
    8) Expand the Security icon to display the list of available adapters
    9) Select All Adapters under the list of available adapters
    10) Enter Allow NetBIOS Browsing as the Rule Description
    11) Select the Add button
    12) Select the Allow NetBIOS Browsing rule listed under All Adapters
    13) Select the Applications tab listed under Events and Triggers
    14) Select a Priority and Severity level that is appropriate to your network

        environment such as Priority: 13, Severity: 10
    15) Select Enable Application Triggers by placing a check in the checkbox
    16) Select the Add button
    17) Enter NT OS Kernel as the Application Description
    18) Enter ntoskrnl.exe as the file name
    19) Select Create Application Fingerprint by placing a check in the checkbox
    20) Select the Ok button
    21) Select the Add button again
    22) Enter Windows OS Kernel as the Application Description
    23) Enter kernel32.dll as the file name
    24) Select Create Application Fingerprint by placing a check in the checkbox
    25) Select the Ok button
    26) Select the Services tab listed under Events and Triggers
    27) Select Enable Port and Protocol Triggers by placing a check in the
    checkbox
    28) Select Remote TCP Ports under Service Type
    29) Select the following Triggers:
       a. netbios-ssn (port 139)
       b. microsoft-ds (port 445)
    30) Select the Add button
       a. Enter 135 as the Port Number
       b. Enter netbios-dce as the Description
    31) Select the Ok button
    32) Select the Add button again
       a. Enter 1026 as the Port Number
       b. Enter 1027 as the ending Port Number (listed as To)
       c. Enter User Defined as the Description
    33) Select the Ok button
    34) Select Remote UDP Ports under Service Type
    35) Select the following Triggers:
       a. kerberos (port 88)
       b. netbios-ns (port 137)
       c. netbios-dgm (port 138)
    36) Select Drop listed under Actions
    37) Select Write to Traffic Log by placing a check in the checkbox
    38) Select the Apply button at the top of the SMS window
    39) Check in the group for which the new rule was just added (repeat from
    step
        3 for additional groups if the Global group was not used)

    In the next release of Sygate Personal Firewall and Sygate Security Agent,
    these rules will be incorporated into the default behavior of the system.

    Elisha Riedlinger
    Product Manager
    Sygate Technologies, Inc.
    6595 Dumbarton Circle
    Fremont, CA 94555
    (510) 742-2616

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



    Relevant Pages

    • Re: Sygate Security Bulletin
      ... > often recommend firewalls, Sygate among them. ... > attacker could gain access to a system with an open UDP port that was ... > protected by Sygate Personal Firewall by sending specially crafted UDP ... > Personal Firewall or Sygate Security Agent, or if NetBIOS Protection is ...
      (microsoft.public.security)
    • Re: open ports
      ... Have you tried checking your Sygate personal firewall Help files? ... All of> the other ports were blocked apart from an open Location service port ... > manage services like DHCP server, ... It also> tells me that during a stealth scan my web port 80 is closed and> source port 3090. ...
      (microsoft.public.security)
    • Re: Am I being hacked?
      ... >>I'm running the Sygate Personal Firewall Pro on a Win XP Pro machine. ... >>because I have made a rule to not allow ICMP echo in or out. ... > Unless something is actually listening on port 1103, ...
      (comp.security.firewalls)
    • Protecting Home Machines
      ... It also opens ports between port 666 to port 765 for its malicious ... Similar to the earlier MSBLAST worm variants, ... I recommend Sygate Personal Firewall ... internet connections. ...
      (Security-Basics)
    • SPF Problem
      ... Sygate Personal Firewall Pro V 5.5. ... apart from leaving a port open, I think it is port 135. ... XP HE Sp2 with I GB of memory and approx 180 GB HD with usage at about ...
      (comp.security.firewalls)