[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sidewinder
Subject:    [Sidewinder] Official Response for CERT CA-2002-19
From:       sidewinder-admin () adeptech ! com
Date:       2002-07-05 17:30:07
[Download RAW message or body]

This is the official Secure Computing Corporation response to CERT Advisory
CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries (Original
release date: June 28, 2002).   

----- Message-----
CERT Advisory CA-2002-19 Response for Sidewinder Firewalls.

BACKGROUND
This is a very complicated "theoretical" vulnerability, since there are no
known hackers that have figured out how to use it yet. In order to exploit
this, an attacker must get between the device he wants to attack and a DNS
server it is querying. The attacker must then wait for the device to issue
DNS query, and then generate an invalid server response (an illegal response
header) containing a large block of data with the attack code. The device
then receives and processes the reply, which causes a stack overflow in the
program thereby causing the attack code to get executed.

DEFENSIVE MEASURES
This exploit in most cases, can not traverse through intermediate DNS
servers because an intermediate server will invalidate the header and
discard the packet, or strip the attached large data block as the reply is
forwarded through.
Therefore, to protect hosts from this attack, a DNS server should be
positioned between the inside (trusted/vulnerable) clients and the big, bad,
Internet. For security reasons, the choice of 'what' OS platform should be
carefully evaluated since the platform must protect itself from attack. A
convenient place for this server is on a firewall, and the secure place
would be on Sidewinder. When Sidewinder is properly configured to process
all DNS queries through the embedded DNS server, the attack cannot penetrate
through to inside clients.
What about attacking the firewall? Read on.

SIDEWINDER
There is no way for someone using this attack to gain access to, or gain any
valuable information from a Sidewinder. An attack against one of the
Sidewinder components using this "theoretical" attack would yield no special
privileges (such as root access, shell access, configuration information,
etc.) due to Sidewinder's SecureOS Type Enforcement technology (TE). The
worst an attacker could potentially do is create a limited
denial-of-service, but it would take many successive successful attacks to
do it.

Sidewinder is typically configured with a DNS server (or two) running right
on the firewall. Most of Sidewinder's components query THROUGH this DNS
server for DNS resolution. It would not be possible to get between the
component and the DNS server on the box.  However, if the DNS request can
not be resolved locally it's forwarded to an external DNS server. The reply
containing an attack would pass  through the external DNS server and as it
does it will be re-written (the attack stripped) as the reply is delivered
on to the component, thereby preventing the attack. It is not yet known if
all possible responses are rewritten in every possible case. 
If an externally resolved response containing the attack does get through
the internal DNS server without being rewritten, the effect of an attack
would be EXTREMELY limited.

First off, NONE of Sidewinder's critical components (proxies, ACL engine,
etc.) do direct DNS processing. Resolution is done by 'self contained' DNS
resolver processes which are not granted Type Enforcement access to any of
the components configuration data, or could it access the data contained by
the components sessions.  Nor can the resolver execute a shell. This process
has no access to any system resources useful to an attacker. And of course,
there is no useful concept of root privilege on Sidewinder.

It is theoretically possible to get a resolver to execute some binary code
in its limited domain. It would not be easy to develop binary code that
would run on a Sidewinder, but if you could, the maximum impact it could
have is to cripple a single instance of the DNS resolver. If you could
cripple enough resolvers, you might be able to approach the system limits
and prevent new resolvers from being forked, thus causing a
denial-of-service on the firewall.

Code to prevent the buffer overflow has already been written, and will be
included in some future release, but given the very low harm that could be
caused by this threat, every effort will be made to evaluate and test the
code to maximize the stability of Sidewinder and prevent any possible side
effect.

Sidewinder, Type Enforcement technology, and SecureOS are trademarks of
Secure Computing.

_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]