Category: Firewalls

Juniper fixes router DoS vulnerability

0
Posted by Tech Paranoia on January 8, 2010 – 10:00 am
Filed under Firewalls, Patches
Tagged as , ,

Networking supplier Juniper has released an update to fix a DoS vulnerability in its routers. The vulnerability can reportedly be exploited to force a router reboot using specially crafted TCP packets. For a successful attack, the packet must include a specific combination of TPC options and must be addressed to a service that is running on the router. However, the first TCP packet sent apparently already triggers the flaw. A full 3-way handshake is not required. Transient packages which are only being forwarded don’t cause the router to crash and reboot.

Since Juniper only makes advisories available to its customers and partners, no further details have officially become available. The independent “Praetorian Prefect” blog, however, offers information about the vulnerable versions. According to the blog, routers running JUNOS 9.x, 8.x or 7.x with a release date before the 28th of January 2009 are vulnerable. While versions 3.x, 4.x, 5.x and 6.x are also thought to be affected, these versions are no longer officially supported by the vendor.

No fully functional workaround apart from installing the update is said to be available – simply filtering TCP packets via the firewall is reportedly insufficient. Juniper recommends that customers implement anti-spoofing measures to detect packets with a bogus sender address. Various ISPs reportedly already updated their core routers at the beginning of January.

Source: H Online

Hacker pierces hardware firewalls with web page

0
Posted by Tech Paranoia on January 7, 2010 – 2:00 pm
Filed under Firewalls, Hacks
Tagged as ,

On Tuesday, hacker Samy Kamkar demonstrated a way to identify a browser’s geographical location by exploiting weaknesses in many WiFi routers. Now, he’s back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage.

By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it’s behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.

“What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port,” Kamkar told El Reg. “This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required.”

Kamkar’s proof-of-concept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim’s internal system, and using what’s known as NAT traversal an attacker can access any port that’s open on the local system.

For the hack to work, the visitor must have an application such as file transfer protocol or session initiation protocol running on his machine. The hack doesn’t guarantee an attacker will be able to compromise that service, but it does give the attacker the ability to probe it in the hope of finding a weak password or a vulnerability that will expose data or system resources.

“Most people have this false sense of security that ‘well, I’m behind my router, nobody can connect to my ports,’” said Kamkar, the hacker behind the notorious Samy Worm that in 2005 took MySpace out of commission by adding more than 1 million friends to the author’s account. “If you’re going to keep a service open to the world, you’ll probably have more upkeep” to make sure it’s secure.

The problem is a hard one to solve, since NAT, short for network address translation, is included in many routers to give users a seamless experience when accessing a host of internet-based services and applications. The use of a software-based firewall on the client will help, but Kamkar warned that even then some ports may be accessible.

While Kamkar’s proof-of-concept requires users to press a submit button, he said it’s trivial to use javascript so no interaction is required after the page is visited.

Kamkar said he based his attack on IRC because many versions of Linux used to run routers support the protocol by default. He’s based similar attacks on file transfer protocol and had success with both the Belkin and Airport Extreme routers and believes other services such SIP may work on those routers as well as other devices.

Source: The Register

Easily spoofed traffic can crash routers, Juniper warns

0
Posted by Tech Paranoia on January 7, 2010 – 10:30 am
Filed under Firewalls, Hardware
Tagged as ,

Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic.

In an advisory sent Wednesday afternoon, the networking company said a variety of devices could be forced to reboot by sending them internet packets with maliciously formed TCP options. The flaw affects versions 3 through 10 of Junos, the operating system that powers devices at ISPs, backbones, and other large networks. Software releases built on or after January 28, 2009 have already fixed the issue.

“The Junos kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port,” the bulletin, which was issued by Juniper’s technical assistance center, stated. “The packet cannot be filtered with Junos’s firewall filter. A router receiving this specific TCP packet will crash and reboot.”

There are “no totally effective workarounds,” the bulletin added.

It’s unclear how many Juniper systems remain vulnerable or exactly when customers began installing patches. But the wording of the bulletin was enough to make some security watchers pay close heed, particularly since the Junos ACL, or access control list, was powerless to prevent the attacks.

“Anything that can crash the internet is a big deal,” said Daniel Kennedy, a researcher with Praetorian Security Group. “Essentially, you can send a packet to a router and the ACL in that router can’t stop this, so you can basically start bouncing routers just by sending it a crafted options field in a TCP request.”

A Juniper spokeswoman said the bulletin was one of seven security advisories the company issued under a policy designed to prevent members of the public at large from getting details of the vulnerabilities.

“Because of Juniper’s ‘Entitled Disclosure Policy,’ only our customers and partners are allowed access to the details of the Security Advisory,” the spokeswoman wrote.

While the only effective solution is to patch, the bulletin said the risk could be minimized but limiting TCP packets destined for Junos devices. Specifically, customers should employ anti-spoofing” techniques described here. If those techniques aren’t feasible for all traffic “focus on anti-spoofing for the IP addresses used for the control plane, management plane, and link addresses,” the advisory stated.

Source: The Register

pfSense v 1.2.3 Now Available

0
Posted by Tech Paranoia on December 16, 2009 – 3:00 pm
Filed under Firewalls, Software
Tagged as

From blog.pfsense.org:

“This is a maintenance release in the 1.2.x series, bringing an updated FreeBSD base, some minor enhancements, some bug fixes, and a couple security updates. We’ve been waiting a few weeks in anticipation of a FreeBSD security advisory for the SSL/TLS renegotiation vulnerability, which came last week and allowed us to finalize the release.”

pfSense

CanYouSeeMe.org Checks for Open Ports Behind Firewalls

0
Posted by Tech Paranoia on December 1, 2009 – 12:00 pm
Filed under Firewalls
Tagged as

If you’re traveling this holiday season and using the wireless networks of hotels or other unfamiliar service providers, CanYouSeeMe.org is a handy way to tell what ports are reachable when you’re behind a firewall.

CanYouSeeMe.org’s open port check tool is a simple but useful web-based utility for figuring out if your ISP or firewall is blocking certain ports you need to get things done on your computer. It’s a handy way to determine if connection issues you’re having—like difficulty sending email or trouble accessing an instant messaging client—are a problem with your internet connection or the computer itself.

CanYouSeeMe.org (via Lifehacker.com)

pfSense book now available

0
Posted by Tech Paranoia on November 17, 2009 – 10:03 am
Filed under Firewalls
Tagged as ,

Authored by pfSense co-founder Chris Buechler and pfSense developer Jim Pingle, The Definitive Guide to pfSense covers installation and basic configuration through advanced networking and firewalling of the popular open source firewall and router distribution.

This book is designed to be a friendly step-by-step guide to common networking and security tasks, plus a thorough reference of pfSense’s capabilities.

pfSense