Re: Eagle Raptor Firewall for Windows vulnerable to MSBLAST?
From: Marc Maiffret (marc_at_EEYE.COM)
Date: 08/19/03
- Previous message: Tom Frerichs: "Re: www.windowupdate.com GONE - What about the little people?"
- In reply to: Wallace Fullerton: "Re: Eagle Raptor Firewall for Windows vulnerable to MSBLAST?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Aug 2003 12:01:44 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
It is great to generically test on systems but it is very much possible to
have a Raptor (NT based version) firewall be vulnerable to this RPC bug. It
is not to say that out of box it is or is not vulnerable, I do not have
enough versions to test. However, the systems do use NT and can have DCOM
enabled. So if DCOM is enabled, and the system is unpatched, and allowing
port 135 traffic through then yes Raptor can be vulnerable, same with any
other NT based firewall that's not properly configured.
The easiest way to sort this out is for John Kramer to see if the port is
open on the system (has to be or our tool wont flag it) and then check the
registry to see if DCOM is enabled, and check to see if the patch is
installed. John, if you want to eMail me directly I would be more than happy
to help you out.
My guess is that his Raptor, although it may not be default like this across
all Raptor installs, is vulnerable.
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
| -----Original Message-----
| From: Windows NTBugtraq Mailing List
| [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Wallace Fullerton
| Sent: Tuesday, August 19, 2003 8:43 AM
| To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
| Subject: Re: Eagle Raptor Firewall for Windows vulnerable to MSBLAST?
|
|
| Several members of the Raptor mailing list read this message and have
| tested their own systems using eEye's scanning tool. In all reported
| instances, no vulnerabilities were found by the scanning tool.
|
| It isn't clear from the original message what version of Raptor and on
| what platform were tested by Mr. Kramer but the fact that it was even
| called "Raptor Eagle" and that there was a suggestion that the OS was
| "not standard" suggests Mr. Kramer may have been working with an old
| version -- Since early 2002 (or before) Raptor has been called Symantec
| Enterprise Firewall (now in version 7.x) and runs on hardened Windows
| NT, Windows 2000, and Solaris. Other versions run on hardware devices.
|
| I suppose its possible that some earlier versions of Raptor running on
| NT might be vulnerable but the current version does not appear to be
| vulnerable. Symantec will have to provide their official spin on this
| question.
|
|
|
| -----Original Message-----
| From: Windows NTBugtraq Mailing List
| [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Kramer, John
| Sent: Friday, August 15, 2003 7:53 AM
| To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
| Subject: Eagle Raptor Firewall for Windows vulnerable to MSBLAST?
|
|
| I used eEye Retina's DCOM/RPC vulnerability scanner yesterday, and one
| of the devices that came back as being vulnerable was our Eagle Raptor
| Firewall.
| Based on my concern, I promptly asked one of our IT guys if he was aware
| of this. His response was that it is our old Eagle Raptor Firewall
| machine so its not really running standard Windows.
| Huh? If the scanner reported that the device is vulnerable, no matter
| what king of version of Windows (embedded, whatever), is this device
| still not vulnerable and can possibly have the worm be able to transfer
| itself through to another device internal to our firewall?
| Has anyone using the Eagle Raptor firewall for Windows come across this
| and is this true?
|
| thanks
|
| John Kramer
| McKesson Automation
| John.Kramer@McKesson.com
|
| oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
| oooooooooo
| Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
|
| With a growth rate exceeding 110%, the TICSA security practitioner
| certification is one of the hottest IT credentials available.
| And now, for
| a limited time, you can save 33% off of the TICSA certification exam! To
| learn more about the TICSA certification, and to register as a TICSA
| candidate online, just go to
|
| http://www.trusecure.com/offer/s0100/
|
| oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
| oooooooooo
|
|
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Tom Frerichs: "Re: www.windowupdate.com GONE - What about the little people?"
- In reply to: Wallace Fullerton: "Re: Eagle Raptor Firewall for Windows vulnerable to MSBLAST?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
