Palto Alto affected by Firestorm bug ??

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palto Alto affected by Firestorm bug ??

L4 Transporter

Hi all,

 

Any info about Firestorm bug and Palo Alto Firewall ??

http://www.bugsec.com/news/firestorm/

 

Regards,

 

HA

 

6 REPLIES 6

L6 Presenter

If i understand this correctly it has nothing to do with NG fw, application recognition or anything like this.

 

Every firewall allows 3-way TCP handshake if there is apropriate rule in policy. It has nothing to do with application policy or anything. If you can extract data through TCP hadnshake it doesn't matter if it's allowed as layer 4 rule (allowed by destination port 80) or as layer 7 rule (allowed as web-browsing). It's more something that should be fixed as part of IPS policy or zone protection in PA case which should check validty (or compliance) of SYN, SYN-ACK and ACK packets and not allow any data there.

 

 

You should have custom reports in place to detect this kind of behaviour.

For example if some device in your network has loads of sessions with "incomplete" and "insuficient-data" applications then it is worth taking a look as it is indicator of compromise.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L7 Applicator

I think the nuance here that Palo Alto is missing and I would hope would update in PanOS, is that the inclusion of data in the syn packet during the handshake is a violation of the strict tcp syn handshake outlined in RFC 793.

 

https://tools.ietf.org/html/rfc793

 

Thus it is entirely reasonable to drop the connection at the point where the syn plus data packet is received.  And this is indeed how strict tcp syn check works on both Juniper and Checkpoint firewalls.

 

Hopefully, the PA team will recognize that having strict tcp syn check is a feature that should be on by default to prevent this type of invalid communication.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I agree with all that. But an option for strict checking of SYN packets would still be nice feature.

 

 http://www.rfc-base.org/rfc-7413.html  however I fail to see the importance of allowing SYN with data or not. 

 

2.  Data in SYN

   Standard TCP already allows data to be carried in SYN packets
   ([RFC793], Section 3.4) but forbids the receiver from delivering it
   to the application until the 3WHS is completed.  This is because
   TCP's initial handshake serves to capture old or duplicate SYNs.
  • 5267 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!