Security issue in Gauntlet 5.0 BSDI when BSDI patches are installed in a specific order by Keith Young (kyoung@v-one.com) -=0=--=0=--=0=--=0=--=0=--=0=--=0=--=0=--=0=- SYSTEM AFFECTED - Gauntlet 5.0 BSDI with latest Gauntlet patches Other Gauntlet 5.0 patched systems are not affected Unpatched Gauntlet 5.0 BSDI is not affected SYNOPSIS - Local trusted and remote non-trusted users with routes through firewall may bypass all Gauntlet security rules. No activity will appear in the /var/log/messages log file. Internal network scheme is exposed. This issue will appear if you do the following in sequence: 1) Install BSDI 3.1 2) Install Gauntlet 5.0 3) Install BSDI patch M310-049 4) Install Gauntlet 5.0 kernel patch level 2 VENDOR CONTACT - Vendor has been contacted and trouble ticket assigned. Patch will be released soon. OTHER NOTES - A) Behavior occurs if connection is through any adaptive proxy (http-pdk), "old" proxy (http-gw) or no proxy at all (any TCP connection). B) Packets will not be NATed by firewall, so to be 100% successful, a route will need to be published to get to your internal network through your firewall. C) As mentioned, nothing is ever logged in /var/log/messages D) Adding NATs to Gauntlet does not change the packets. SOLUTIONS - A) Install M310-049 *before* installing Gauntlet 5.0. B) A vendor patch/fix/suggestion is coming. C) Workaround - **Neither myself, V-ONE, nor NAI is responsible for the correct/incorrect use of this.** **Doing this may adversely affect your system and may void tech support.** (as root) 1) # cp /usr/local/sys.gauntlet/i386/OBJ/ip_input.o /usr/src/sys/i386/OBJ 2) # sh /usr/local/sys.gauntlet/build_kernel/build_kernel 50.1 3) # reboot HOW TO REPRODUCE - Network configuration: [client]====[firewall]====[WWW/FTP-server] (internal) (external) Client/Server: either Win98 or RedHat Linux 6.0, P2-350, 128MB RAM Firewall: P2-350, 256MB RAM, 10GB hard drive, any BSDI-compatible NIC All network connections done via 10baseT crossover cables, however users can be across hubs or routers. Listed here are the exact steps needed to reproduce this problem. 1) Install BSDI 3.1, March 1998. Use automatic install, however you may install minimal packages if you wish. 2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall 3) Install Gauntlet 5.0. 4) Reboot after installation. 5) Login as root. 6) Enter "Fast GUI Setup". Fill in appropriate Interface settings for external and internal interfaces. If necessary, configure ESPM hosts, DNS settings, and admin users. 7) Quit gauntlet-admin, save changes, and rebuild. 8) After proxies have reconfigured, reboot machine. 9) Since M310-049 is required for Gauntlet kernel patch install, and M310-046 is required for M310-049 installation, download both from ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/ File info: M310-046 1194 Kb Wed Oct 14 00:00:00 1998 M310-049 116 Kb Wed Dec 16 00:00:00 1998 Both patches are considered "OK" by the Gauntlet support site: http://www.tis.com/support/bsd31.html 10) Bring machine to single-user mode by executing "kill -term 1". 11) Execute "perl5 M310-046 apply" to install BSDI libc patch. 12) Execute "perl5 M310-049 apply" to install IP DoS fix. 13) Execute "cd /sys/compile/GAUNTLET-V50/". 14) Build new kernel as required by M310-049 IP DoS kernel fix. # make clean # make depend # make 15) After kernel is rebuilt, reboot machine. 16) Download Gauntlet 5.0 kernel and cluster patch: File info: cluster.BSDI.patch 12623 Kb Wed Sep 01 19:33:00 1999 kernel.BSDI.patch 414 Kb Wed Aug 04 17:54:00 1999 17) As noted in patch install directions, execute the following: # sh ./cluster.BSDI.patch # sh ./kernel.BSDI.patch # cd kernel.BSDI.patch # sh ./apply # cd ../cluster.BSDI.patch # sh ./apply 18) After patches are installed, reboot machine. 19) Install ESPM-GUI on client machine. Start ESPM-GUI. Add client machine to trusted network group. Apply changes. 20) Start web browser on client machine. Set web proxy setting to internal interface of firewall. Attempt to connect to external web server. Access is allowed. *This is correct.* 20) Remove http-gw from trusted network services. Apply changes. Attempt to connect to external web server. Access is denied. *This is correct.* ==Problem starts here== 21) Remove proxy setting in web browser on client machine. Set gateway/default route on client machine to internal interface of firewall. Set gateway/default route on server machine to external interface of firewall. 22) Clear web browser cache. Attempt to connect to external web server. Web page is downloaded with no logs in Gauntlet. 23) Start ESPM-GUI. Remove all services from trusted networks services. Remove client machine from ESPM network group. Apply changes. 24) FTP from client machine to server. FTP connection is made though no rule exists. 25) Start telnet server on client machine. Telnet from server to client. Telnet connection is made.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:47 PDT