Re: [fw1-gurus] Critical Security Vulnerability in Nokia IPSO with Secur

On Mon, Jan 26, 2009 at 7:42 PM, Dameon Welch-Abernathy <dwelch@xxxxxxxxxxxx> wrote:

I'm putting on my Nokia hat here for a moment to ensure you are all
aware of a critical security vulnerability that has been announced
against Nokia IPSO. I'll answer whatever questions I can about this.

-- PhoneBoy

-- snip --

Panic When SecureXL and NAT Are Used and a Malformed Packet Is Received

Summary

Nokia security appliances running Nokia IPSO 4.1, 4.2, 5.0, 6.0 or
older can panic if SecureXL and NAT are enabled and certain malformed
packets are sent in an attempt to attack the network. Note: IPSO 6.1
is not vulnerable to this issue.

Risk Analysis

To exploit this vulnerability, the Nokia appliance must be configured
with both SecureXL and NAT enabled; the attacker would have to be able
to send malformed packets to the firewall and firewall policy would
have to be set to allow these malformed packets.

Severity: High

Population Affected

Any Nokia security appliance running with SecureXL and NAT enabled
when specific malformed packets are sent through the firewall.

Customer Recommended Actions

Customers who are not running SecureXL and NAT need not take action as
their systems are not vulnerable. All other customers are recommended
to either upgrade Nokia IPSO or enhance their firewall policy to drop
these packets.

More information about these fixes and workarounds are available in
Nokia knowledgebase article KB1357601, which will be updated as new
information becomes available.

Nokia IPSO maintenance releases are planned for the near future that
will allow forwarding of these packets so that vulnerability tests
using malformed packets will be able to traverse the firewall if
desired.

Recommended IPSO Changes

If choosing to upgrade Nokia IPSO, the following versions are
available via the Nokia Knowledge Base:

IPSO 4.2 build 096 (Nokia knowledge base article KB1610996)
IPSO 4.1 build 053 (Nokia knowledge base article KB1611001)
IPSO 5.0 build 056 for VSX NGX R65 (Nokia knowledge base article
KB1611013 – this is a controlled access article, please contact Nokia
Technical Support for further information)
Customers using IPSO 6.0 should upgrade to IPSO 6.1.

Alternative Check Point Policy Changes

As an alternative to upgrading Nokia IPSO or VSX, the Check Point
VPN-1/FireWall-1 application can be enhanced to drop these packets on
a policy level before they are passed to the IPSO kernel thereby
preventing the issue. To accomplish this, one of the following
configuration changes should be made to the firewall:

Enable Smart Defense option Forbid IP Fragments. This option may
result in connectivity issues if other desired but fragmented traffic
exists.

Using GUIDBEDIT set fwfrag_minsize to 20. This option may result in
connectivity issues if other desired but fragmented UDP traffic
exists.

Disable SecureXL. This option may result in an unacceptable level of
performance degradation.

Acknowledgements

Nokia would like to acknowledge Karthik Chandrashekar, Damon LeRoy and
Kevin Sahota of eBay Network Security for their work leading to the
discovery and responsible disclosure of this issue.
_______________________________________________
fw1-gurus mailing list
fw1-gurus@xxxxxxxxxxxxxxxxxx
http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Critical Security Vulnerability in Nokia IPSO with SecureXL and NAT