('binary' encoding is not supported, stored as-is) In-Reply-To: <4.3.2.7.2.20020415144003.00ae4730at_private> Symantec Enterprise Firewall FTP Bounce Vulnerability Date Discovered April 16, 2002 Risk Medium (dependent on customer configuration) Affected Versions: Raptor Firewall V6.5.3 (Solaris) Symantec Enterprise Firewall V7.0 (Solaris) Overview Symantec is aware of an FTP Bounce Vulnerability condition reported in Bugtraq ID# 267784 (http://online.securityfocus.com/archive/1/267784). This potential vulnerability could affect some Symantec Enterprise Firewall deployments. Using this FTP-protocol based vulnerability, an attacker could potentially hide an attack by using the firewall identity against an unsuspecting and unprotected external machine. In addition, by overwriting the PORT command with its own internal address, the firewall overwrites the FTP-server built-in protection mechanism that protects against this type of attack. Recommendation If the FTP Bounce Attack affects your deployment, please make sure you apply the related hotfix available from the Symantec Enterprise Support site. This hotfix is an enhanced version of our FTPd module for the affected platforms that extends the protection currently provided by the firewall. We are currently investigating if this problem impacts our remaining supported products and platforms and we will release enhanced versions of the FTPd module as necessary. This module update is available for download from the Symantec Enterprise Support site (http://www.symantec.com/techsupp). The following enhancements have been made to the FTPd module for Solaris: 1) By default, if the firewall detects a PORT request destined for an IP address other than the IP address of the FTP client, it will log the following warning: “353 Warning: PORT command referenced a destination (x.x.x.x) that doesn't match control channel (y.y.y.y): possible Bounce attack? To enforce strict PORT checking please set “ftpd.allow_address_mismatch=False” in the Config.cf file.” If the firewall administrator decides that this is not a problem in their environment, they can disable this Warning message by setting the following Config.cf variable: ftpd.suppress_address_mismatch_warning=True (default is False) 2) If the firewall administrator wishes to enforce strict PORT command checking and block any PORT requests that reference a different address than the original FTP client IP they can set the following Config.cf variable: ftpd.allow_address_mismatch=False (default is True) By enforcing “strict” PORT checking on the firewall, security administrators do not have to make sure that all of their FTP servers are patched or configured to block the FTP Bounce Attack. These security enhancements were verified by Symantec and ICSA Labs (www.icsalabs.com). The new features will extend the enterprise-level protection provided by our FTP proxy which among other checks already includes protection against FTP Bounce attacks off the firewall itself, blocking PORT commands that select a well-known port, FTP strong/weak user authentication methods, GET/PUT granular security policies, FTP protocol and command verification, and transparent address hiding. Technical Description The FTP Bounce attack exploits a known design flaw in the FTP standard. All RFC compliant FTP servers must support the PORT command. The PORT command is used between an FTP client and server to coordinate the data channel connection between the two devices. The RFC dictates that a connection for the data channel should be allowed to any IP address and any port. However, this RFC- compliancy renders FTP Servers vulnerable to misuse of the PORT command. For a more detailed explanation of this issue please see CERTŪ Advisory CA-1997-27 FTP Bounce and the related technical tip. The Symantec Enterprise Firewall automatically rewrites the PORT command with either the address of the client machine or the firewall address. In either case when the PORT request reaches the FTP server, the PORT command will match the source address of the FTP client. If configured, the FTP server scans the packet to make sure the PORT command matches the IP address of the client, and in all cases it does. The FTP server then attempts to open a data connection to the client IP address, which then gets translated by the firewall to the victim’s IP address. This is not a desired behavior since it gives the security administrator a false sense of protection from an FTP bounce attack. Copyright (c) 2002 by Symantec Corp. Permission to redistribute this Alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this Alert in medium other than electronically requires permission from symsecurityat_private Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, Symantec products, Symantec Security Response, and SymSecurity are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 18:27:00 PDT