OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: William Aguilar (waguilarsymantec.com)
Date: Wed Apr 17 2002 - 16:06:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) In-Reply-To: <4.3.2.7.2.20020415144003.00ae4730192.168.124.1>

    Symantec Enterprise Firewall FTP Bounce
    Vulnerability

    Date Discovered
    April 16, 2002

    Risk
    Medium (dependent on customer configuration)

    Affected Versions:
    Raptor Firewall V6.5.3 (Solaris)
    Symantec Enterprise Firewall V7.0 (Solaris)

    Overview
    Symantec is aware of an FTP Bounce Vulnerability
    condition reported in Bugtraq ID# 267784
    (http://online.securityfocus.com/archive/1/267784).
    This potential vulnerability could affect some
    Symantec Enterprise Firewall deployments. Using
    this FTP-protocol based vulnerability, an attacker
    could potentially hide an attack by using the firewall
    identity against an unsuspecting and unprotected
    external machine. In addition, by overwriting the
    PORT command with its own internal address, the
    firewall overwrites the FTP-server built-in protection
    mechanism that protects against this type of attack.

    Recommendation
    If the FTP Bounce Attack affects your deployment,
    please make sure you apply the related hotfix
    available from the Symantec Enterprise Support site.
    This hotfix is an enhanced version of our FTPd
    module for the affected platforms that extends the
    protection currently provided by the firewall. We are
    currently investigating if this problem impacts our
    remaining supported products and platforms and we
    will release enhanced versions of the FTPd module
    as necessary.

    This module update is available for download from
    the Symantec Enterprise Support site
    (http://www.symantec.com/techsupp). The following
    enhancements have been made to the FTPd module
    for Solaris:

    1) By default, if the firewall detects a PORT
    request destined for an IP address other than the IP
    address of the FTP client, it will log the following
    warning:

    &#8220;353 Warning: PORT command referenced a
    destination (x.x.x.x) that doesn't match control
    channel (y.y.y.y): possible Bounce attack? To enforce
    strict PORT checking please
    set &#8220;ftpd.allow_address_mismatch=False&#8221; in the
    Config.cf file.&#8221;

    If the firewall administrator decides that this is not a
    problem in their environment, they can disable this
    Warning message by setting the following Config.cf
    variable:

    ftpd.suppress_address_mismatch_warning=True
    (default is False)

    2) If the firewall administrator wishes to
    enforce strict PORT command checking and block
    any PORT requests that reference a different
    address than the original FTP client IP they can set
    the following Config.cf variable:

    ftpd.allow_address_mismatch=False (default is True)

    By enforcing &#8220;strict&#8221; PORT checking on the firewall,
    security administrators do not have to make sure that
    all of their FTP servers are patched or configured to
    block the FTP Bounce Attack.

    These security enhancements were verified by
    Symantec and ICSA Labs (www.icsalabs.com). The
    new features will extend the enterprise-level
    protection provided by our FTP proxy which among
    other checks already includes protection against FTP
    Bounce attacks off the firewall itself, blocking PORT
    commands that select a well-known port, FTP
    strong/weak user authentication methods, GET/PUT
    granular security policies, FTP protocol and
    command verification, and transparent address
    hiding.

    Technical Description
    The FTP Bounce attack exploits a known design flaw
    in the FTP standard. All RFC compliant FTP servers
    must support the PORT command. The PORT
    command is used between an FTP client and server
    to coordinate the data channel connection between
    the two devices. The RFC dictates that a connection
    for the data channel should be allowed to any IP
    address and any port. However, this RFC-
    compliancy renders FTP Servers vulnerable to
    misuse of the PORT command. For a more detailed
    explanation of this issue please see CERTŪ Advisory
    CA-1997-27 FTP Bounce and the related technical tip.

    The Symantec Enterprise Firewall automatically
    rewrites the PORT command with either the address
    of the client machine or the firewall address. In either
    case when the PORT request reaches the FTP
    server, the PORT command will match the source
    address of the FTP client. If configured, the FTP
    server scans the packet to make sure the PORT
    command matches the IP address of the client, and
    in all cases it does. The FTP server then attempts to
    open a data connection to the client IP address,
    which then gets translated by the firewall to the
    victim&#8217;s IP address. This is not a desired behavior
    since it gives the security administrator a false sense
    of protection from an FTP bounce attack.



    Copyright (c) 2002 by Symantec Corp.
    Permission to redistribute this Alert electronically is
    granted as long as it is not edited in any way unless
    authorized by Symantec Security Response.
    Reprinting the whole or part of this Alert in medium
    other than electronically requires permission from
    symsecuritysymantec.com.
    Disclaimer:
    The information in the advisory is believed to be
    accurate at the time of printing based on currently
    available information. Use of the information
    constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this
    information. Neither the author nor the publisher
    accepts any liability for any direct, indirect or
    consequential loss or damage arising from use of, or
    reliance on this information.
    Symantec, Symantec products, Symantec Security
    Response, and SymSecurity are Registered
    Trademarks of Symantec Corp. and/or affiliated
    companies in the United States and other countries.
    All other registered and unregistered trademarks
    represented in this document are the sole property of
    their respective companies/owners.