Palto Alto affected by Firestorm bug ??

Reply
L4 Transporter

Palto Alto affected by Firestorm bug ??

Hi all,

 

Any info about Firestorm bug and Palo Alto Firewall ??

http://www.bugsec.com/news/firestorm/

 

Regards,

 

HA

 

L5 Sessionator

Re: Palto Alto affected by Firestorm bug ??

If i understand this correctly it has nothing to do with NG fw, application recognition or anything like this.

 

Every firewall allows 3-way TCP handshake if there is apropriate rule in policy. It has nothing to do with application policy or anything. If you can extract data through TCP hadnshake it doesn't matter if it's allowed as layer 4 rule (allowed by destination port 80) or as layer 7 rule (allowed as web-browsing). It's more something that should be fixed as part of IPS policy or zone protection in PA case which should check validty (or compliance) of SYN, SYN-ACK and ACK packets and not allow any data there.

 

 

Tags (1)
L7 Applicator

Re: Palto Alto affected by Firestorm bug ??

You should have custom reports in place to detect this kind of behaviour.

For example if some device in your network has loads of sessions with "incomplete" and "insuficient-data" applications then it is worth taking a look as it is indicator of compromise.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L7 Applicator

Re: Palto Alto affected by Firestorm bug ??

I think the nuance here that Palo Alto is missing and I would hope would update in PanOS, is that the inclusion of data in the syn packet during the handshake is a violation of the strict tcp syn handshake outlined in RFC 793.

 

https://tools.ietf.org/html/rfc793

 

Thus it is entirely reasonable to drop the connection at the point where the syn plus data packet is received.  And this is indeed how strict tcp syn check works on both Juniper and Checkpoint firewalls.

 

Hopefully, the PA team will recognize that having strict tcp syn check is a feature that should be on by default to prevent this type of invalid communication.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L3 Networker

Re: Palto Alto affected by Firestorm bug ??

L5 Sessionator

Re: Palto Alto affected by Firestorm bug ??

I agree with all that. But an option for strict checking of SYN packets would still be nice feature.

 

L3 Networker

Re: Palto Alto affected by Firestorm bug ??

 http://www.rfc-base.org/rfc-7413.html  however I fail to see the importance of allowing SYN with data or not. 

 

2.  Data in SYN

   Standard TCP already allows data to be carried in SYN packets
   ([RFC793], Section 3.4) but forbids the receiver from delivering it
   to the application until the 3WHS is completed.  This is because
   TCP's initial handshake serves to capture old or duplicate SYNs.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!