MEDIA ALERT: BugSec, Cynet Uncover Large-scale Vulnerability on Next Generation Firewalls
Hundreds of millions of enterprise networks worldwide open to attack
TEL AVIV, ISRAEL — December 9, 2015
BugSec Group Ltd., a leading provider of cyber security services (www.bugsec.com), and Cynet, pioneers of the all-in-one agentless solution for detection of advanced and unknown threats (www.cynet.com), announced today that they have discovered a severe vulnerability in next generation firewalls which allow an internal entity or malicious code to interact and extract data out of the organization, completely bypassing the firewall limitation.
Head of Offensive Security Stas Volfus discovered the vulnerability, dubbed FireStorm, on the application categorized module, which is designed to permit full TCP handshake regardless of the packet destination. This is done to allow the firewall to gather enough content for it to identify which application protocol is being used (web-browsing/telnet etc.). The firewalls allow web-browsing (HTTP/S) traffic from the LAN environment to specific locations on the internet (URL-Filtering).
This enabled the security research team to perform a full TCP Handshake via the HTTP port with a C&C (Command and Control) server hosted by BugSec. From there, the team was able to forge messages and tunnel them out through the TCP handshake process, bypassing the firewall to any destination on the Internet regardless of firewall rules and restrictions.
It is important to note that all traffic sent to the C&C server after the TCP handshake process was blocked immediately by the firewall, as the policy manager categorized the researchers’ traffic as “Unknown-TCP” and the HTTP destination wasn’t allowed.
“This is a critical flaw that enterprise networks need to be aware of,” said Chief Technology Officer Idan Cohen. “The ability to perform the TCP handshake process without any destination means that malware and hackers could hijack it to communicate with unauthorized servers on the web, completely removing the firewall block from the LAN to the outside world,” Cohen added.
Following the discovery, the security research team developed a tool that extracted sensitive data from the LAN, using only the TCP handshake. The tool allowed full tunneling over the TCP handshake.
The team disclosed full details of the vulnerability to major vendors affected by the flaw. One of the vendors, when informed of the issue, stated that they did not see it as a security threat. They said that once their state machine proceeded beyond the TCP handshake, they would recognize the application, matching a subsequent rule that applied to application traffic. The vendor added that if they did not recognize the application, they would treat the session as ‘unknown-TCP’ and, again, perform an additional security policy lookup to decide whether to allow or block the traffic.
The BugSec–Cynet security research team believes this is a major vulnerability, and recommends that monitor capability be added to provide blocking for repeated suspicious requests and to provide the ability to block a direct connection between an internal host and an unauthenticated foreign host.