Tag Archives: XTM

WatchGuard Announces Fireware XTM and WSM v11.5.3

May 3, 2012 by Corey Nachreiner 2 Comments

Available for All XTM Appliances

WatchGuard is excited to announce the general release of Fireware XTM v11.5.3 and WatchGuard System Manager v11.5.3. This release demonstrates a continuing commitment to quality to WatchGuard customers, with a significant number of bug fixes and several minor enhancements.You can install Fireware XTM OS v11.5.3 on any WatchGuard XTM device, including 2 Series, 3 Series, 5 Series, 8 Series, XTM 1050, and XTM 2050 devices.

A few minor enhancements include:

  • Changes to the routes section of the Firebox System Manager Status Report to improve consistency in the way IPv4 and IPv6 routes are displayed.
  • New IP address validity checking in Mobile VPN configurations to help prevent common errors with overlapping IP addresses.

In addition to the enhancements listed above, 11.5.3 also includes a large number of bug fixes, covering many different areas of Fireware and WSM. For more information, see the Resolved Issues section of our Release Notes.

For more information about the feature enhancements included in Fireware XTM v11.5.3, see What’s New in Fireware XTM v11.5.3 [PPT file].

Does This Release Pertain to Me?

Fireware XTM 11.5.3 is an enhancement release, which corrects a large number of bugs in our software, and improves its general stability. If you have any XTM series appliance and wish to take advantage of the enhancements listed above, or those mentioned in the Release Notes, you should upgrade to version 11.5.3. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button. The 11.5.3 Release Notes include clear upgrade instructions. Fireware XTM 11.5.3 is an XTM Series only release, and does not work on e-Series appliances.

As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375
WatchGuard Software
, , , , ,

WatchGuard Announces Fireware XTM 11.5.2 Update 1

March 28, 2012 by Corey Nachreiner 3 Comments

For Original XTM 2 Series Appliance Models Only

WatchGuard has released an important update for the original XTM 2 Series appliance models (XTM 21/22/23 and the wireless models). This update corrects certain conditions that cause instability for some customers on these platforms. More specifically, this update is for appliance software only. It resolves a file system writing issue and reduces memory use during Gateway AV signature updates. If you are running one of the original XTM 2 Series appliances and are experiencing the following issues on XTM 11.5.1 or 11.5.2, we recommend applying this patch:

  • Appliance passes traffic normally but cannot be managed via WSM or Web UI
  • Appliance gradually stops passing traffic, cured by a reboot.

The update also resolves many other minor bugs. You can find more information about this update, and the issues it corrects, in the Release Notes.

Does This Release Pertain to Me?

Fireware XTM 11.5.2 Update 1 is an enhancement release designed to correct a few stability issues that may affect some original 2 Series model customers. If you manage an XTM 21, 22, or 23 appliance, and are experiencing the symptoms described above, you should download and install XTM 11.5.2 Update 1. However, if you manage a newer XTM 25 or 26 appliance, or any other XTM Series platform, you do not need this update. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM 2 Series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center, which also includes clear installation instructions. Fireware XTM 11.5.2 Update 1 is only for the original 2 Series appliance models (XTM 21/22/23 and wireless models). As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375
WatchGuard Software
, , , ,

WatchGuard Announces Fireware XTM and WSM v11.5.2

March 7, 2012 by Corey Nachreiner 7 Comments

Available for All XTM Appliances

7 March, 2012

WatchGuard is excited to announce the general release of Fireware XTM v11.5.2 and WatchGuard System Manager v11.5.2.

With this release, WatchGuard is proud to support the new XTM 2 Series models: XTM 25 and XTM 26. Additionally, this release demonstrates a continuing commitment to quality to WatchGuard customers, with a significant number of bug fixes and enhancements.You can install Fireware XTM OS v11.5.2 on any WatchGuard XTM device, including 2 Series, 3 Series, 5 Series, 8 Series, XTM 1050, and XTM 2050 devices.

Some significant enhancements in Fireware XTM v11.5.2 include:

  • Application Control user feedback message: Application Control now offers a deny message to users whose HTTP requests are blocked due to your application control policies
  • Advanced Search in Log and Report Manager: We’ve added advanced search functions in LogViewer to help you pinpoint important log information quickly and efficiently
  • Mobile VPN with SSL supports multiple authentication servers: Mobile VPN with SSL clients can now authenticate to multiple authentication servers and Active Directory authentication domains
  • Management Server device configuration template improvements:
    • Ability to create a device configuration template from an existing configuration file
    • Inclusion of hosted WebBlocker Server settings in templates for XTM 2 Series and XTM 33 devices
    • Policy order in a template is preserved when you apply the template to an XTM device
  • FireCluster support for XTM 330 appliances: You can now configure XTM 330 appliances in a FireCluster (an active/active or active/passive HA pair)
  • And many other minor enhancements…

In addition to the enhancements listed above, 11.5.2 also includes a large number of bug fixes, covering many different areas of Fireware and WSM. For more information, see the Resolved Issues section of our Release Notes.

If you’re an active LiveSecurity subscriber, you can upgrade to Fireware XTM v11.5.2 free of charge. You can install Fireware XTM v11.5.2 software on any WatchGuard XTM device. Although WatchGuard System Manager v11.5.2 has been designed to manage devices running earlier versions of Fireware XTM v11, it is not possible to install Fireware XTM v11.5.2 on WatchGuard e-Series appliances.

Does This Release Pertain to Me?

Fireware XTM 11.5.2 is a feature release that also includes many bug fixes. If you have any XTM series appliance and wish to take advantage of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.5.2. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center, which also includes clear installation instructions. Fireware XTM 11.5.2 is an XTM Series only release, and does not work on e-Series appliances. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375
WatchGuard Software
, , , , , ,

WatchGuard Releases WSM v11.5.1 Update 1: XSS Flaws Corrected

December 15, 2011 by Corey Nachreiner 8 Comments

Severity:High

15 December, 2011

Summary:

  • This vulnerability affects: WatchGuard System Manager (WSM) v11.5.1
  • How an attacker exploits it: Multiple vectors of attack, including enticing you to click a maliciously crafted link, or sending specially crafted network traffic through an XTM appliance and having you view the resulting logs in our Web UI
  • Impact: In the worst case, an attacker can execute code in your browser with elevated privileges, possibly hijacking your web browser
  • What to do: Install WSM 11.5.1 Update 1 at your earliest convenience

Exposure:

A few weeks ago, WatchGuard released Fireware XTM OS and WatchGuard System Manager (WSM) v11.5.1. Among other things, this release includes a newly designed Log and Report Manager Web UI, which greatly improves our logging and reporting interface, making it dramatically faster and easier to use.

However, shortly after the release of WSM v11.5.1, we learned of two privately reported and two internally discovered security issues that affect our Log and Report Manager Web UI. WSM v11.5.1 Update 1 fixes all four of those security issues. We describe these issues in a bit more detail below:

  • BUG 64549: Persistent XSS Vulnerability in Log Messages (CVE-2011-4774)

The Log and Report Manager Web UI does not properly sanitize log data it retrieves from the log database, before displaying it in the Web UI. By sending specially crafted traffic through your XTM appliance (such as maliciously crafted email or FTP connections), an attacker can fill your logs with messages that contain malicious web script. When you view these logs within the Log and Report Manager Web UI, they could trigger a Cross-Site Scripting (XSS) vulnerability, which allows the attacker to execute scripts in your web browser under the context of our Web UI. Since these malicious logs would remain in your log database until you specifically deleted them, this flaw is a persistent XSS vulnerability.

In general, attackers can leverage XSS attacks to steal your web cookies, hijack your web sessions, redirect you to malicious sites, or essentially take any action you could on the vulnerable web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer. That said, a few factors somewhat mitigate the severity of this issue. In order to exploit this flaw, an attacker would have to know you manage a WSM server with v11.5.1. He’d also have to send very specially crafted traffic through your XTM appliance, which would need policies that allow such traffic. Finally, though this attack may allow the attacker to gain elevated privilege in your web browser, it would not give the attacker access to your XTM appliance, or the ability to change firewall rules. Nonetheless, we consider this a fairly serious vulnerability, and recommend you update as soon as you can. We’d like to thank Wayne Murphy of Sec-1 for bringing this flaw to our attention.

Severity: High

  • BUG 64551: Reflected XSS Vulnerability in URL Parameters (CVE-2011-4774)

The Log and Report Manager Web UI also does not properly sanitize inputs entered into certain URL parameters. By enticing you to click onto a specially crafted link, or by intercepting and modifying URL parameters, an attacker could exploit this flaw to trigger another XSS vulnerability. The impact of this flaw is the same as the one described above; an attacker can leverage it to steal web cookies, hijack your web session, or essentially take any action you could in the Log and Report Web UI. This is a reflected XSS flaw since the attack only occurs once, when you click the malicious link.

Like the flaw described above, an attacker would first have to know you manage an XTM appliance with WSM v11.5.1 to exploit this flaw. Furthermore, the attacker would then need to entice you to click a malicious link, which makes this XSS vulnerability slightly less severe than the one described above. Again, we’d like to thank Wayne Murphy of Sec-1 for bringing this flaw to our attention.

Severity: Medium

  • Two Low-Severity Nessus-Reported Vulnerabilities

Our own internal tests identified two minor security issues in our Log and Report Web UI, which were reported by Nessus scans. You can learn more about these issues from the links provided below:

In both cases, your WSM server is protected by your XTM appliance, making it unlikely that an external attacker could exploit either of these minor flaws. We believe they pose very low risk, but still recommend you apply Update 1 as soon as you can.

Severity: Low

Solution Path:

WSM v11.5.1 Update 1 fixes all four of these security issues. XTM appliance administrators who have installed WSM v11.5.1 should download and install Update 1 at their earliest convenience.

FAQ:

Are any of WatchGuard’s other products affected?

No. To our knowledge, these vulnerabilities only affect the new WSM v11.5.1 Log and Report Manager Web UI.

What exactly are the vulnerabilities?

The worst of these four vulnerabilities are the Cross-Site Scripting (XSS) vulnerabilities, which can allow attackers to execute scripts in your web browser under the context of our Web UI. In general, attackers can leverage XSS attacks to steal your web cookies, hijack your web sessions, redirect you to malicious sites, or essentially take any action you could on the vulnerable web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer. However, attackers cannot leverage these flaws to gain access to your XTM appliance or change firewall rules.

How serious is the vulnerability?

We believe the two XSS vulnerabilities are fairly serious. However some mitigating factors will likely limit attackers from exploiting these flaws in the real world. In general, XSS flaws can be very dangerous. Tools like the Browser Exploitation Framework (BeEF) have illustrated that attackers can leverage simple XSS flaws to gain significant control of your browser, and possibly your computer. That said, attackers would have to know a lot about you and your organization to exploit these particular XSS vulnerabilities. Specifically, they’d have to know you manage a WSM v11.5.1 server, and either get you to click a link, or view a specific log message in our Web UI. This would likely only happen in a very targeted attack. Furthermore, these flaws would not give the attacker access to your XTM appliance. That said, as a security company, WatchGuard takes any vulnerability in our products very seriously. We suggest you install WSM v11.5.1 Update 1 as soon as possible.

Other than installing Update 1, is there a workaround?

Not really. Obviously, if you avoid clicking malicious phishing links, then an attacker couldn’t exploit the reflected XSS attack. However, even the most savvy security professional sometimes can click the wrong link. If you do not allow any incoming traffic through your XTM appliance, then an attacker may not be able to booby-trap your log files with specially crafted messages. However, most organizations have policies to at least allow email traffic. This alone could allow an external attacker to corrupt your logs. We highly recommend you install WSM v11.5.1 Update 1 to correct these issues.

Where can I go to get the hotfix?

WSM 11.5.1 Update 1 is currently available in the Articles & Software section of WatchGuard’s Support Center. Look for it under the Management Software section for your XTM appliance.

How was this vulnerability discovered?

Two of these vulnerabilities were discovered by Wayne Murphy of Sec-1 (@Sec1Ltd), and confidentially reported to WatchGuard. We thank Mr. Murphy for working with us to keep our customers secure. The remaining issues were discovered internally.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild, nor do we believe them likely to be in the future.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Senior Network Security Strategist
WatchGuard Technologies, Inc.
http://www.watchguard.com
corey.nachreiner@watchguard.com

Security Updates, WatchGuard Software
, , , , , , ,

WatchGuard Announces Fireware XTM and WSM v11.5.1

November 29, 2011 by Corey Nachreiner 9 Comments

Available for All XTM Appliances

WatchGuard is excited to announce the release of Fireware XTM v11.5.1 and WatchGuard System Manager (WSM) v11.5.1, the latest security operating system for our award-winning XTM appliance line. You can install Fireware XTM OS v11.5.1 on any WatchGuard XTM device, including 2 Series, the new XTM 330, 5 Series, 8 Series, XTM 1050, and XTM 2050 appliances.

Fireware XTM and WSM v11.5.1 marks the first 11.5.x release of our software, and delivers many valuable new capabilities and enhanced features to our already feature-rich XTM products. Though primarily a feature release, v11.5.1 also demonstrates WatchGuard’s continuing commitment to quality with a significant number of bug fixes.

We highlight just a few Fireware XTM v11.5.1′s new features below:

  • A newly designed Log and Report Manager Web UI – We have updated our already information-rich logging and reporting UI to make it dramatically faster and easier to use. It now offers drill-down capabilities on users, applications, URLs visited, and more, as well as pivot capabilities that allow you to find the information you need much faster than before. Some other logging and reporting related updates include:
    • UTC log time stamping, which allows you to always know what time logs arrived, regardless of which time zone your XTM appliance and log server resides in.
    • Report integration with ConnectWise, which allows ConnectWise administrators to automate WatchGuard XTM report creation and delivery to their customers.
  • Mobile VPN with IPSec support for Apple® iOS devices – We have updated our XTM IPSec gateway to allow iPhones, iPads, and iPods to make secure connections to your XTM appliance using Apple’s built-in IPSec client. This update also allows OS X Lion Macs to connect using Lion’s built-in IPSec client as well.
  • Mobile VPN with SSL support 64-bit Mac clients – Our Mac SSL client now supports 64-bit OS X installations.
  • IPv6 Routing Support - Your XTM appliance can now receive an IPv6 address, use IPv6 DNS/WINS servers, create static IPv6 routes, and support SLAAC router advertisement. 11.5.1 has achieved IPv6ready.org Gold logo for routing, confirming that the basic “plumbing” — the packet routing building blocks of IPv6 — works correctly. It’s important to note that v11.5.1 does not yet support IPv6 firewall policies, which will come in a later release.
  • Improved Dynamic Routing support – We have updated and improved our Dynamic Routing engine, and it now supports Dynamic Routing in FireCluster configurations as well.
  • SMTP Proxy enhancements to support TLS encryption – Our SMTP proxy now supports and enforces TLS encrypted user authentication and end-to-end message body encryption.
  • Clientless Single Sign-On (SSO) - Fireware XTM v11.5.1 delivers improved SSO accuracy without the need to install SSO client software on all your computers.
  • FIPS Support – XTM devices now meet the overall requirements for FIPS 140-2 Level 2 security, when configured in a FIPS-compliant manner.

In addition to the features and enhancements listed above, 11.5.1 also includes numerous smaller enhancements and many bug fixes in different areas of Fireware and WSM.

If you’re an active LiveSecurity subscriber, you can upgrade to Fireware XTM v11.5.1 free of charge. You can install Fireware XTM v11.5.1 software on any WatchGuard XTM device. Although WatchGuard System Manager v11.5.1 has been designed to manage devices running earlier versions of Fireware XTM v11, it is not possible to install Fireware XTM v11.5.1 on WatchGuard e-Series appliances.

For more information about the feature enhancements included in Fireware XTM v11.5.1, see the Release Notes or What’s New in Fireware XTM v11.5.1.

Does This Release Pertain to Me?

Fireware XTM 11.5.1 is a feature release that also includes many bug fixes. If you have any XTM series appliance and wish to take advantage of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.5.1. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Support section of WatchGuard’s Support Center, which also includes clear installation instructions. Fireware XTM 11.5.1 is an XTM Series only release, and does not work on e-Series appliances. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375
WatchGuard Software
, , , , , ,

WatchGuard Fireware XTM 11.4.2 Available for XTM Appliances

November 16, 2011 by Corey Nachreiner 1 Comment

For XTM 2, 5, 8, and XTM 1050 Appliances, and WSM

In August, WatchGuard posted Fireware XTM v11.4.2 to the Articles and Downloads section of our Support web page. At the time, we also performed some website and infrastructure changes that prevented us from emailing the 11.4.2 Software Announcement to our qualified customers. To make sure all our customers know about this exciting new update, we are re-posting the original Fireware XTM 11.4.2 announcement here.

Dear WatchGuard Customer,

WatchGuard is excited to release Fireware XTM v11.4.2. Fireware XTM v11.4.2 demonstrates our continuing commitment to quality to WatchGuard customers, with a significant number of bug fixes and enhancements, including:

  • Firewall policies can now be applied to intra-VLAN traffic
  • Branch office VPN tunnels now work with External Wireless interfaces
  • Support for multiple Mobile VPN with SSL policies for different users/groups from Policy Manager
  • Other numerous bug fixes and stability enhancements.

In addition to the features and enhancements listed above, 11.4.2 includes numerous smaller enhancements and bug fixes in many different areas of Fireware and WSM.

If you’re an active LiveSecurity subscriber, you can upgrade to Fireware XTM 11.4.2 free of charge. You can install Fireware XTM OS v11.4.2 software on any WatchGuard XTM device, including 2 Series, 5 Series, 8 Series, and the XTM 1050. Although WatchGuard System Manager/Policy Manager v11.4.2 has been designed to manage Fireware XTM v11.3 and Fireware XTM v11.4 devices seamlessly, it is not possible to install Fireware XTM OS v11.4.x on WatchGuard e-Series appliances.

For more information about the feature enhancements included in Fireware XTM v11.4.2, see What’s New in Fireware XTM v11.4.2.

Does This Release Pertain to Me?

Fireware XTM v11.4.2 is a feature release that also includes many bug fixes. If you have any XTM series appliance and wish to take advantage of the enhancements listed above, or those mentioned in the Release Notes, you should consider upgrading to version 11.4.2. Please read the Release Notes before you upgrade, to understand what’s involved.

How Do I Get the Release?

XTM series owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles and Downloads section of our Support web pages, which also includes clear installation instructions. Fireware XTM v11.4.2 is an XTM Series only release. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375
WatchGuard Software
, ,

What is the TCP Split-Handshake Attack and Does It Affect Me?

April 15, 2011 by Corey Nachreiner 18 Comments

If you’ve followed security news over the past few days, you’ve probably seen a lot of hoopla about a TCP split-handshake vulnerability that can affect firewalls and other networking and security devices. Many of the Media’s articles characterize this complicated TCP connection attack as, “a hacker exploit that lets an attacker trick a firewall and get into an internal network as a trusted IP connection” or as a “hole” in firewalls. I’m not sure that these descriptions properly characterize this vulnerability, and I suspect many administrators may not really understand how this attack works (let alone what it does and doesn’t allow an attacker to accomplish). I hope to try and rectify that in this post.

Before I jump into a description of this attack, WatchGuard XTM owners probably want to know if they are vulnerable to this attack. The answers is, No. Our XTM appliances do not allow TCP split-handshake connections. Furthermore, we also enable a feature called TCP SYN checking by default on our devices, which further protects against TCP state-based attacks. Later in this post, I’ll go into more detail on how we tested this, but for now, know that our appliances are not susceptible to this attack. With that out of the way, let’s look at this attack.

What is the TCP Split-Handshake Attack?

To understand the TCP split-handshake attack you need to understand how network devices build TCP connections. I’m going to assume you are familiar with the TCP three-way handshake. If not, this guide will walk you through it. Most network administrator understand this three-way handshake technique quite well, and many gateway security devices (like stateful firewalls) are designed to enforce it. However, less people know about another legitimate way to build TCP connections, called the simultaneous-open handshake. With a simultaneous open connection, both a client and server send a SYN packet to each other at about the same time. Then both sides also send ACK packets to each other in response. This slightly different variant of the TCP handshake doesn’t happen much in the real world, however, it’s a perfectly legitimate way to start a TCP connection (according to RFC 793).

This brings us to the TCP split-handshake (also sometimes called a Sneak ACK attack). As the name suggests, the split-handshake combines aspects of the normal three-way handshake with the simultaneous-open handshake. Essentially, a client sends a SYN packet to a server, intending to complete a normal three-way handshake. However, rather than completing the client’s three-way handshake, a malicious server starts by replying as though it were doing a simultaneous-open connection, and then starts its own three-way handshake in the other direction — from server to client. So in essence, even though the client started the connection to the server, the logical direction of this connection gets reversed.

This is a fairly quick and high-level description of this attack. If you are a technically oriented person that wants to know the nitty-gritty details, I highly recommend you read, The TCP Split Handshake: Practical Effects on Modern Network Equipment. It is the defacto document describing this attack. If you just want the highlights, I also recommend this article. It characterizes the attack well, without diving too deep into the technical detail.

So What Can an Attacker Accomplish with this Attack?

OK. At a high-level, you now know that the TCP split-handshake attack is a sneaky way that a malicious server can reverse the logical direction of a connection that a client initiates. But what exactly does that mean? What can an attacker do with that, and how bad is it?

First, you should know that this attack cannot punch holes in your firewall, willy-nilly, without user interaction. A key mitigating factor to the attack is that a client within your network must first make a connection to a malicious server on the internet, before this attack can even start. Some of the descriptions of the attack, which claim an external attacker can trick a firewall into giving them access as a trusted IP, seem to leave this fact out. So if you were worried that external attackers can just hop through your firewall on their own, don’t be.

Furthermore, when this attack succeeds, the attacker isn’t even getting free reign on the victim computer or your network either, instead the attacker has only reversed the logical direction of your client’s initial connection. This could be bad, as I will explain in a second, but it is not immediate full access to the victim computer or your network.

What this attack really comes down to is an IPS (or other security content-filtering) evasion attack. The key issue is this attack logically reverses the direction of a perfectly legitimate connection your client initiated. This doesn’t really mean the attacker can do anything new on the victim computer, but it may confuse gateway security scanning services that protect your client. Many security systems, like IPS, antivirus (AV), and other content-filtering systems rely on the direction of traffic to decide how to scan it, or even if they will scan it. If an attacker can confuse the gateway devices as to the direction of traffic, it may be able to evade security scanning or IPS policies.

Let’s look at a real world example. Say an unpatched client in your network connects to a malicious drive-by download web server that is not leveraging the split-handshake attack. The malicious web site tries to get your client to execute some javascript that forces your client to download malware. If you have gateway IPS and AV, your IPS may detect the malicious javascript, or your AV may catch the malware. In either case, your security scanning would block the attack.

However, if the malicious web server adds the TCP split-handshake connection to the same attack, your IPS and AV systems may be confused by the direction of the traffic, and not scan the web server’s content. Now the malicious drive-by download would succeed, despite your gateway security protection.

So to summarize, the TCP split-handshake attack may help malicious servers to bypass security scanning services on your gateway security devices. However, it will not allow external attackers to bypass your firewall policies, and it requires an internal client start the connection in the first place.

Is My X-brand Network Device at Risk?

Now you know the true impact of TCP split-handshake attacks. They don’t allow attackers to totally bypass firewalls without user interaction, but they could help attackers evade your security services, assuming your clients connect to them. The next question is, are my network devices vulnerable?

To help you answer that question, I’m going to share how I tested WatchGuard’s XTM appliances.

The authors of the paper I mentioned earlier (The TCP Split Handshake: Practical Effects on Modern Network Equipment) included a special Ruby script in their paper called fakestack.rb. This script sets up a server on port 8080, that listens for incoming connections, and replies to those connection using the TCP split-handshake connection method. If this malicious connection succeeds, the script reports, “The handshake’s a LIE!” You can use this script to test your network equipment, and see whether or not it allows TCP split-handshake connections to complete.

I recommend you use fakestack.rb with a Linux computer. I used my Backtrack 4 installation. Fakestack.rb requires another ruby script called PacketFu, which in turn requires something called PcapRub. The whitepaper above explains these dependencies. Once your have all this installed, you simply have to disable your computer’s local host firewall (on 8080 at least), and run fakestack.rb (sudo fakestack.rb eth0 8080).

Once you have fakestack running, I recommend you first get a client to connect to it directly, without any firewall or gateway device in the mix. This way you can see what happens when the split-handshake connection succeeds. Open a web browser (IE or Firefox) on a Windows computer that is on the same network, and try to connect to the IP of the computer running fakestack, on port 8080 (http://x.x.x.x:8080). You will not see anything in the web browser. However, if you look at fakestack’s output, you will see it generating packets, sending certain replies, and if the attack works, it returns that “handshake’s a lie” message.

Once you have fakestack working, testing your own network gear is simple. Simply put the fakestack computer on the external side of your firewall, IPS, or security appliance, and get an internal client to try to connect to fakestack. If fakestack returns the handshake is a lie message, then you know your security gear may be vulnerable to this attack. However, if you don’t get the handshake is a lie message, fakestack wasn’t able to complete the split-handshake connection, and your device must be doing something to prevent it.

This is the test I did with our XTM appliances. When a client behind an XTM appliance tries to connect to fakestack, the connection never completes. Meanwhile, the XTM logs report:

2011-04-15 19:18:37 Deny 192.168.39.204 192.168.39.38 63316/tcp 8080 63316 0-External Firebox tcp syn checking failed 40 31 (Internal Policy) proc_id=”firewall” rc=”101″ tcp_info=”offset 5 A 1845100933 win 64″
2011-04-15 19:18:37 Deny 192.168.39.204 192.168.39.38 63316/tcp 8080 63316 0-External Firebox Denied 44 31 (Unhandled External Packet-00) proc_id=”firewall” rc=”101″ tcp_info=”offset 6 S 794513233 win 64″

Our packet handling engine does not recognize split-handshake connections as legitimate connections. Furthermore, split-handshakes trigger our TCP syn checking feature too, which is enabled by default.

This test shows that WatchGuard devices don’t allow split-handshake connections. You can use the same test to figure out whether or not your other network security devices handle TCP split-handshake connections properly.

Summary

So in summary:

  • The TCP split handshake attack is not an attack that allows attackers to punch holes in firewalls without user interaction. However, it is a significant vulnerability that could allow attackers to evade security services like IPS, assuming the attacker can entice the victim to a malicious server.
  • WatchGuard XTM appliances are not vulnerable to the TCP split-handshake attack, since we do not allow split-handshake connections. We tested this using a script designed by the discovers of the attack, called fakestack.rb.
  • If you want to know how your other network gear responds to TCP split-handshake connections, use fakestack.rb to test.

I hope this post helped clear up some potential misinterpretations about this complex vulnerability, and has shown you its true severity and impact. Feel free to share your thoughts and ideas about this flaw in the comments section. I find it quite interesting and would love to discuss it. — Corey Nachreiner, CISSP. (@SecAdept)

Editorial Articles
, , , ,

Follow

Get every new post delivered to your Inbox.

Join 6,939 other followers