[NEWS] Firewall-1 HTTP Security Server - Proxy Vulnerability
From: support@securiteam.comDate: 09/22/02
- Previous message: support@securiteam.com: "[NEWS] DB4Web (R) TCP Connects to Arbitrary IP and Port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 22 Sep 2002 13:03:27 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Firewall-1 HTTP Security Server - Proxy Vulnerability
------------------------------------------------------------------------
SUMMARY
A security vulnerability in the way Checkpoint's Firewall-1 handles
incoming traffic, allows users of the firewall's services to bypass it
even though it has been enabled to block users that do not provide
UserAuth (User authentication).
DETAILS
Vulnerable systems:
* Checkpoint FW-1 Version 4.1 and NG (confirmed by Checkpoint)
When using an "out the box" installation of FW-1 with a rule base of:
Source Destination Service Action Track
AllUsers@SomeNet webserver http UserAuth Long Allow Auth HTTP
Any firewall Any drop Long Stealth Rule
Any Any Any drop Long CleanUp Rule
Moreover, configuring the browser to proxy traffic as follows can enable a
client browser to pass HTTPS and FTP traffic through the FW-1 enforcement
point (even though only HTTP is allowed by the rule base):
Type Proxy Address Port
HTTP firewall 80
Secure firewall 80
FTP firewall 80
Technical detail:
When using an action of UserAuth in Firewall-1 (even without using a
resource), the traffic is handled by the Security Servers, in this case
the HTTP Security Server (in.ahttpd).
It appears that the default for the HTTP Security server is to allow any
traffic that is proxied through the server (i.e. HTTP, HTTPS, and FTP).
If one specifically uses a URI Resource you are presented with the option
to choose what Schemes (http, ftp, gopher, mailto, news, wais, Other) and
Methods (GET, POST, HEAD, PUT, Other) etc you wish to allow.
This option is not available for the HTTP service on its own.
This same issue can be applied to an HTTPS service by following the
instructions for Authenticating outbound HTTPS (See VPN-1/Firewall-1
Administration Guide page 504).
This will enable an HTTP Security server on TCP:443. The client proxies
are then set to Port 443 and the traffic is passed in this way.
When using SP6, the behavior exhibited is slightly improved (due to the
changes as outlined in the SP6 Release Notes (July 23, 2002). Under Known
Limitations point 9, page 4. "The HTTP Security Server handles proxy and
tunneled connection requests differently than earlier FireWall-1
versions."
With a default SP6 install, trying to access an HTTPS site via an HTTP
only rule will fail, with an incorrect error message in the Log File,
however FTP access still succeeds.
Also, making the change (http_connection_method_tunneling (true) reverts
the module to the SP5 (and earlier) behavior.
Impact:
Since the issue outlined above requires that a user be authenticated, the
impact is likely to be small in most cases.
However, certain installations may require that certain users be allowed
restricted access to certain environments (such as DMZ's etc).
With the current default functionality in FW-1 the expected access
restrictions are not going to apply.
Solution:
The only solution that comes to mind is to use Resources for ALL UserAuth
rules and in this way have the ability to manually configure the required
access and limit access for unwanted methods etc. When using a resource
this "functionality" is disabled by default. Using the "Tunneling"
"connection Method" in the resource can enable it.
This requirement is enforced when running a fixed version from Checkpoint.
Current Status with Vendor:
Checkpoint have raised the following CR's:
CR00073948, for FireWall-1 version 4.1 SP6
CR00073595, for FireWall-1 version NG FP2
Checkpoint has developed a Hotfix to resolve this issue. The HotFix
disallows client proxy connections to UserAuth rules that do not make use
of resources by default. This behavior can be overcome by manually
changing options in the objects.C file.
ADDITIONAL INFORMATION
The information has been provided by <mailto:vgelder@icon.co.za> Mark van
Gelder.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] DB4Web (R) TCP Connects to Arbitrary IP and Port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
