Hi! The NetGear FM114P is a hub, printer server, wireless access point, firewall and IDS. The firewalling module also supports filtering for domain names (e.g. "www.computec.ch"). There is the same problem like described in http://online.securityfocus.com/bid/5629 - The NetGear FM114P does not resolve host and domain names by default. Due to this flaw, a user may access a site by entering the IP address instead of the host and domain name. http://www.computec.ch/software/firewalling/url_filtering-tunnel/ explains the problem in german and provides a possible exploit. A possible workaround is to add the ip address(es) of the forbidden hostname in the blacklist (e.g. "195.65.88.12"). But don't forget that some smart attackers could use dotless ip addresses (e.g. "http://3275839500"). And you'll got some problems with virtual hosting webservers. Also, every additional filter entry will slow down the FM114P. The vulnerability has been tested on NetGear FM114P firmware Version 1.0 (default) and firmware Version 1.3 Release 04. I've informed the vendor on 02/09/05 with an email to supportat_private - The following message came back two days later (very nice responding time): > You've probably already noticed that the router is not designed to block > sites by IP address -- only by keyword -- This is *not* a vulnerability, > just not something the router was designed to do -- Taken from the > FM114P Reference Manual: "Content Filtering > With its content filtering feature, the NETGEAR ProSafe Firewall > prevents objectionable content from reaching your PCs. The firewall > allows you to control access to Internet content by screening for > keywords within Web addresses. You can configure the firewall to log and > report attempts to > access objectional Internet sites.Content Filtering > With its content filtering feature, the NETGEAR ProSafe Firewall > prevents objectionable content from reaching your PCs. The firewall > allows you to control access to Internet content by screening for > keywords within Web addresses. You can configure the firewall to log and > report attempts to > access objectional Internet sites." > > "The NETGEAR ProSafe Firewall allows you to restrict access based on Web > addresses and Web address keywords. Up to 255 entries are supported in > the Keyword list. The Keyword Blocking menu is shown in Figure 5-2:" > > As for IP address blocking being added to future firmware revisions, > you'll be able to request it at this link (which will be read by > Netgear's Engineers) -- > http://www.expressresponse.com/netgear1/feedbackmenu.html Everyone can say that software has "no vulnerabilities", just "missing features". I've filled this form with my feature and security suggestions and hope that they'll fix the flaw in an upcoming firmware update... Bye, Marc -- Computer, Technik und Security http://www.computec.ch
This archive was generated by hypermail 2b30 : Sat Sep 07 2002 - 07:37:55 PDT