Firestorm – how to avoid the latest Next Generation Firewall vulnerability

11 Dec

A new, severe vulnerability in Next Generation Firewalls was earlier this week unveiled by cyber threat detection specialist, Cynet. The vulnerability, dubbed FireStorm, allows an internal entity or malicious code to interact and extract data out of an organisation, completely bypassing the firewall limitation.

It was discovered that the firewalls are designed to permit full TCP handshake regardless of the packet destination, in order to gather enough content for the firewall to identify which application protocol is being used (web-browsing/telnet etc.).

This is applicable if the devices are configured, for example, to allow web browsing (HTTP/S) traffic from the LAN environment to specific locations on the internet (URL Filtering). This is true even with a single location.

The vulnerability allowed specialists at Cynet to perform a full TCP handshake via the HTTP port with a C&C (Command and Control) on a self-hosted server. From there, the penetration testers were able to forge messages and tunnel them out through the TCP handshake process, bypassing the firewall to any destination on the Internet, regardless of firewall rules and client restrictions.

Firestorm blog - Firewall imageYou can read a full account of this Next Generation Firewall vulnerability on the Cynet blog, but what struck me was how this wouldn’t affect another type of technology, namely a guard.

The basic premise of why this doesn’t affect guards is due to the fact that they terminate the TCP connection! So the compromised client trying to contact the C&C server only sends the maliciously-crafted handshake to the guard which will terminate the TCP connection as opposed to forwarding it.

It then creates an entirely new connection by sending a clean SYN packet without the sensitive data to the destination (if the guard is configured to send to that destination), so there is no chance of data being exfiltrated by the client within the TCP handshake.

Firestorm blog - Guard imageIn summary, guards are all essentially explicit proxy servers (terminate session, extract payload, establish new session to pre-determined destination) rather than firewalls (generally just forward packets on and track the sessions). So any vulnerabilities affecting packet forwarding will therefore only apply to next generation firewalls and not have any impact on guards.

One Response to “Firestorm – how to avoid the latest Next Generation Firewall vulnerability”

  1. l0rd January 13, 2016 at 13:24 #

    Nice PoV for the vulnerability
    http://www.bugsec.com/news/firestorm-movie/

    Like

Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: