Our recent post about the “FireStorm” vulnerability resulted in many interesting comments throughout the web, some of them from firewall vendors and some from worried customers.
One particular vendor stated their less-than-concerned opinion regarding “FireStorm.” In order to clarify the issue, and for the purpose of advancing the argument from “Does the vulnerability exist?” to “How can we fix it?” we decided to demonstrate the attack now.
In response to the one of the blog posts questioning whether “FireStorm” existed, we answer simply: if an enterprise does not use the “Next Generation” new ability of the affected vendor(s), “FireStorm” does not exist. But for those clients who do use it, it does EXIST. Moreover, it was agreed: “this allows a SYN (and in fact a complete 3-way handshake) from allowed web clients out to the internet on the standard HTTP service.” And this is a key factor of the vulnerability.
Now, if we all agree that it is possible to conduct a full TCP handshake to any destination around the world, is it possible to argue that this is not a security issue? While we can’t disagree with the statement that it is a very old technique (we agree, we have been using it for ages) it threatens the basic assumption of the firewall mission – to provide a strong wall between the internal and external networks. In this case, the well known syn tunneling attack method works against us, opening up new potential threats.
To further clarify our stance, we have prepared a short POV (proof of vulnerability) video that shows how an internal host in the network, can easily extract data outside, to an unsecured location, without any rule allowing the extraction.
In conclusion, we strongly advise the security departments of effected vendors to understand the potentially severe impact of “FireStorm” and create a secure solution for their clients. Using Next Generation Firewalls should not harm the basic security level of an enterprise.
For more information about BugSec and the FireStorm vulnerability please contact us here: www.bugsec.com/contact/
To learn more about precise detection and remediation of threats that have managed to bypass the prevention layer, please contact us here: www.cynet.com/contact/