topic Re: Palto Alto affected by Firestorm bug ?? in General Topics

Palto Alto affected by Firestorm bug ??

licenselu — Wed, 16 Dec 2015 07:56:55 GMT

Hi all,

Any info about Firestorm bug and Palo Alto Firewall ??

http://www.bugsec.com/news/firestorm/

Regards,

Re: Palto Alto affected by Firestorm bug ??

santonic — Wed, 16 Dec 2015 09:11:18 GMT

If i understand this correctly it has nothing to do with NG fw, application recognition or anything like this.

Every firewall allows 3-way TCP handshake if there is apropriate rule in policy. It has nothing to do with application policy or anything. If you can extract data through TCP hadnshake it doesn't matter if it's allowed as layer 4 rule (allowed by destination port 80) or as layer 7 rule (allowed as web-browsing). It's more something that should be fixed as part of IPS policy or zone protection in PA case which should check validty (or compliance) of SYN, SYN-ACK and ACK packets and not allow any data there.

Re: Palto Alto affected by Firestorm bug ??

Raido_Rattameister — Wed, 16 Dec 2015 10:11:36 GMT

You should have custom reports in place to detect this kind of behaviour.

For example if some device in your network has loads of sessions with "incomplete" and "insuficient-data" applications then it is worth taking a look as it is indicator of compromise.

Re: Palto Alto affected by Firestorm bug ??

pulukas — Wed, 16 Dec 2015 13:44:28 GMT

I think the nuance here that Palo Alto is missing and I would hope would update in PanOS, is that the inclusion of data in the syn packet during the handshake is a violation of the strict tcp syn handshake outlined in RFC 793.

https://tools.ietf.org/html/rfc793

Thus it is entirely reasonable to drop the connection at the point where the syn plus data packet is received. And this is indeed how strict tcp syn check works on both Juniper and Checkpoint firewalls.

Hopefully, the PA team will recognize that having strict tcp syn check is a feature that should be on by default to prevent this type of invalid communication.

Re: Palto Alto affected by Firestorm bug ??

gtomte — Wed, 16 Dec 2015 14:53:12 GMT

http://researchcenter.paloaltonetworks.com/2015/12/some-clarifications-and-commentary-on-network-security-and-covert-channels/

Re: Palto Alto affected by Firestorm bug ??

santonic — Thu, 17 Dec 2015 07:49:27 GMT

I agree with all that. But an option for strict checking of SYN packets would still be nice feature.

Re: Palto Alto affected by Firestorm bug ??

vcappuccio — Thu, 31 Dec 2015 10:05:49 GMT

http://www.rfc-base.org/rfc-7413.html however I fail to see the importance of allowing SYN with data or not.

2.  Data in SYN

   Standard TCP already allows data to be carried in SYN packets
   ([RFC793], Section 3.4) but forbids the receiver from delivering it
   to the application until the 3WHS is completed.  This is because
   TCP's initial handshake serves to capture old or duplicate SYNs.