[NT] Symantec Enterprise Firewall (SEF) SMTP Proxy Inconsistencies

From: support@securiteam.com
Date: 02/27/02

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 27 Feb 2002 18:57:34 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Symantec Enterprise Firewall (SEF) SMTP Proxy Inconsistencies


Corsaire Limited has discovered two low-risk issues with Symantec
Enterprise Firewall. The first is a potential information leak in the
Symantec Enterprise Firewall Simple Mail Transfer Protocol (SMTP) proxy
environment that could provide inappropriate information on the firewall
configuration. The second is that inconsistencies in the SMTP protocol
exchange could cause a connection to be denied.


Vulnerable systems:
Symantec Enterprise Firewall versions 6.5.x and 7.0

Corsaire Limited notified Symantec Corporation of some issues in the way
the Symantec Enterprise Firewall SMTP proxy worked with network address
translation (NAT). These issues could cause some undesirable results.

Symantec Enterprise Firewall uses application proxies to provide enhanced
security. Uses of this feature include restricting the sender/recipient
domains and hiding internal infrastructure information from external
users. Corsaire Limited discovered that when Symantec Enterprise Firewall
is configured to provide NAT to an SMTP connection, the function to hide
the internal server address by mapping it to an external public address is
not performed in a completely desirable manner.

The Symantec Enterprise Firewall SMTP proxy should analyze the SMTP format
and dynamically change the IP address as well as edit the required IP
header. Corsaire Limited's research demonstrated that when the inbound or
outbound SMTP connection was translated to an address other than the
address assigned to the physical firewall interface, the SMTP proxy
continued to use the name and address of the physical interface in the
SMTP protocol exchange.

There are two low-risk issues with the way Symantec Enterprise Firewall is
handling the SMTP proxy interface. First, there is a potential information
leak. Information is included in the SMTP protocol exchange that possibly
could aid a malicious intruder in analyzing the firewall configuration.
Second, a receiving/transmitting host that is configured to enforce strict
checks on the SMTP protocol exchange may not accept the connection due to
inconsistencies in the field. This could result in the non-delivery or
bouncing of mail messages.

Vendor response:
Symantec has verified the issues discovered by Corsaire Limited and
developed a fix that will be included with the near-future release of
Symantec Enterprise Firewall version 8.0. Until then, use the following
workarounds to address these issues:

 * Configure Symantec Enterprise Firewall to use the same name for the
firewall name and the firewall external interface name. This workaround
results in consistent names for SMTP replies.
 * If NAT is not needed, use the SMTP wizard included with Symantec
Enterprise Firewall to set up rules and redirects for all inbound and
outbound SMTP traffic.


The information has been provided by <mailto:symsecurity@symantec.com>
Sym Security.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Symantec Enterprise Firewall (SEF) SMTP proxy inconsistencies
    ... Martin O'Neal of Corsaire Ltd. posted: ... Symantec Enterprise Firewall SMTP proxy inconsistencies ...
  • RE: ESTMP Exploits & Security
    ... telnet attempts to an SMTP service by the fact that a manual telnet ... Subject: ESTMP Exploits & Security ... send it through the _client's_ SMTP server, and if I asked employees to ... breaking the mail server, as most servers do not use this. ...
  • Re: starwreck
    ... web browsing and email are still very vulnerable -- email because it includes automatic forwards, causing it to act like a push service in every sense except the IP layer; web because most clients are rich (causing them to be especially vulnerable to attacks) and because cross-site scripting can allow deliberately accessed machines to be used to launch attacks on behalf of third parties. ... I can absolutely guarentee the intergerty of POP and SMTP software if I must, ... Well, perhaps I'm paranoid,, Perhaps I have a history of ticking off 14 year old hackers (and trust me, they did sure try to get me, failed miserably because I had very solid security but they did over 2,000 in damage to a server in the process, This server happed to belong to an internet security company.. ...
  • [fw-wiz] Re: Firewalls breaking stuff: [Was re: fwtk]
    ... >> well as preventing ESMTP and violating the SMTP banner requirements. ... > product builders who care about security. ... > I had a flurry of complaints that I was trampling on RFCs. ... secure code than someone not capable of implementing SMTP correctly. ...
  • RE: MS99-027 - New IIS problem?
    ... Did you make sure they even have access restrictions in place on the SMTP ... MS99-027 - New IIS problem? ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...