[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

[fw1-gurus] Updated: Panic When SecureXL and NAT Are Used and a Malformed TCP Packet is Received in IPSO

Subject: [fw1-gurus] Updated: Panic When SecureXL and NAT Are Used and a Malformed TCP Packet is Received in IPSO
From: Dameon Welch-Abernathy <dwelch@xxxxxxxxxxxx>
To: FireWall-1 Gurus Mailinglist <fw1-gurus@xxxxxxxxxxxxxxxxxx>
Date: Fri, 6 Feb 2009 00:51:01 -0800

Hey folks:

Wearing my Nokia hat again, I'm passing along an updated security
vulnerability notification about IPSO, SecureXL, and NAT.

-- PhoneBoy

-- snip --

Panic When SecureXL and NAT Are Used and a Malformed TCP Packet is Received

Revision 1, February 4, 2009

Summary

Nokia security appliances running Nokia IPSO 4.1, 4.2, 5.0, 6.0 or
older can panic if SecureXL and NAT are enabled and certain malformed
TCP packets are sent in an attempt to attack the network. Note: IPSO
6.1 is not vulnerable to this issue.

Risk Analysis

To exploit this vulnerability, the Nokia appliance must be configured
with both SecureXL and NAT enabled; the attacker must be able to send
malformed TCP packets to the firewall and firewall policy must be set
to allow these malformed packets.

Severity: High

Population Affected

Any Nokia security appliance running with SecureXL and NAT enabled
when specific malformed TCP packets are sent through the firewall.

1. Customer Recommended Actions

Customers who are not running SecureXL and NAT need not take action as
their systems are not vulnerable. All other customers are recommended
to either upgrade Nokia IPSO or enhance their firewall policy to drop
these packets.

More information about these fixes and workarounds are available in
Nokia knowledgebase article KB1357601, which will be updated as new
information becomes available.

Best practices documented in RFC1858 suggest that forwarding packets
smaller than 68 bytes may open your network to "Tiny Fragment
Attacks." The various workarounds discussed below place restrictions
on what kinds of fragmented packets are allowed to be forwarded.

2. Recommended IPSO Changes

If choosing to upgrade Nokia IPSO, the following versions are
available via the Nokia Knowledge Base:

   1. IPSO 4.2 build 096 or later
   2. IPSO 4.1 build 053 or later
   3. IPSO 5.0 build 056 for VSX NGX R65 or later (Nokia knowledge
base article KB1611013 – this is a controlled access article, please
contact Nokia Technical Support for further information)

Customers using IPSO 6.0 should upgrade to IPSO 6.1.

3. Alternative Check Point Policy Changes

As an alternative to upgrading Nokia IPSO or VSX, the Check Point
VPN-1/FireWall-1 application can be enhanced to drop these packets on
a policy level before they are passed to the IPSO kernel thereby
preventing the issue. To accomplish this, one of the following
configuration changes should be made to the firewall:

Enable Smart Defense option Forbid IP Fragments. This option may
result in connectivity issues if other desired but fragmented traffic
exists.

Using GUIDBEDIT set fwfrag_minsize to 20. This option may result in
connectivity issues if other desired but fragmented UDP traffic
exists. More details this workaround are available in Nokia
knowledgebase article KB1357601.

Disable SecureXL. This option may result in an unacceptable level of
performance degradation.
Acknowledgements

Nokia gratefully acknowledges Karthik Chandrashekar, Damon LeRoy and
Kevin Sahota of eBay Network Security for their work leading to the
discovery and responsible disclosure of this issue.
_______________________________________________
fw1-gurus mailing list
fw1-gurus@xxxxxxxxxxxxxxxxxx
http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Prev by Date: Re: [fw1-gurus] ngx r65.4
Next by Date: Re: [fw1-gurus] ngx r65.4
Previous by thread: [fw1-gurus] ngx r65.4
Next by thread: Re: [fw1-gurus] fwm logexport - does it work against MDS in NGX-R65?
Index(es):
- Date
- Thread