COMMAND

    Esafe Protect Gateway (CVP)

SYSTEMS AFFECTED

    Esafe Protect Gateway (CVP) v2.1 build 98

PROBLEM

    Hugo van  der Kooij  found following.   The Esafe  Protect Gateway
    (ESPG) does  not scan  some files  in combination  with FireWall-1
    and CVP.

    If you want the Esafe Protect Gateway to scan all content for  the
    presence of a virus you have two options.

        1. Choose to scan anything not listed in the 'safe file types'
           list.  And then clear out all entries in that list.
        2. Choose  to scan  only files  listed in  the 'dangerous file
           types'  list.   And  then  have  only  one extension listed
           namely '*'.

    Deciding to  rely on  extensions seems  an indication  of a flawed
    design allready.  Renaming files  is a common practice and  can be
    done by anyone capable of operating a keyboard.

    The problem is that anything  with the MIME type set  to TEXT/HTML
    will not be scanned  regardless of the options  recommended above.
    A simple test was capable of pointing this out.

    Setup a default Apache server.   Copy a virusfile to two  location
    being http://website/test1.txt  and http://website/test1.html  and
    try  to  download  them  with  your  favorite browser.  The URL is
    unique  and  was  never  used  by  your  browser  to  minimize the
    possibilities of caches being in  place.  But forced reloads  work
    properly and are sufficiant if you want to replicate this issue.

    Downloading http://website/test1.html dows  nothing to detect  the
    virus and  it is  yours.   No protection  is offered.  Downloading
    http://website/test1.txt will not work as ESPG will now  intercept
    the file contain the virus.

    By  adjusting  the  webserver  to  send  out  *.txt  as  MIME type
    TEXT/HTML and *.html as MIME type TEXT/PLAIN you can now test with
    http://website/test2.txt and  http://website/test2.html to  verify
    things.    Downloading  http://website/test2.txt   will  get   you
    infected  as  ESPG  will  not  scan  the  file.   And  downloading
    http://website/test2.html will not work as ESPG detects the  virus
    and will prevent it from downloading.

    This was tested  with Esafe Protect  Gateway v2.1 build  98, virus
    tables dated March 15, 2000.

    Simple situation.  Provide a supposed link to a .movie file  which
    is actually  an executable  with an  embedded .avi  (could be  any
    nonstandard non executable file  type .movie just works  well) for
    download.  The web  server presents this as  video/x-sgi-movie for
    the mime type.   The user saves it  to disk and follows  the brief
    instruction for playing it  by doing a start/run  "start [download
    path]\test.movie" the  trojaned file  looks like  a movie  playing
    and exits but has delivered it's payload in the interim.  Demo:

        - copy notepad.exe to %TEMP%\test.movie
        - do a start/run
        - type in "start [tmpdir]\test.movie"
        - you now have notepad up on the screen.

    The lab tests performed proven that any file using the MIME header
    TEXT/HTML  is  passed  without  verificationi  regardless  of  the
    extension.  Using another vendor's CVP server testers were able to
    verify the issue was not a FireWall-1 problem but in fact that  of
    the ESPG  CVP server.   Trend Micro  did find  the virus  in  both
    TEXT/PLAIN and TEXT/HTML MIME types.

SOLUTION

    The trade off between performance and protection sufficiency is a
    well known issue in the world of data security.  As suggested by
    Mr. Van der Kooij, it is possible to make files go through eSafe
    Gateway without being scanned for viruses, thus creating security
    holes.  eSafe believes that relying on file extension in order to
    avoid threats and virus assaults is highly efficient.  This is
    definitely not due to a "flawed design".  At eSafe, they believe
    that it is possible to achieve a high level of security and
    privacy, while relying on the files extensions.

    The subject described above according  to Esafe is not a  bug, nor
    a security problem.  Hence, no  fix is needed.  On the  other side
    The Dutch  office informed  Hugo van  der Kooij  that the issue is
    now know by  the ID: DR/047  and being handled  by the development
    crew.

    Esafe Protect  Gateway can  at present  not be  trusted to protect
    you from downloading a virus.