COMMAND
Gauntlet
SYSTEMS AFFECTED
Gauntlet 5.0 BSDI with latest Gauntlet patches
PROBLEM
Keith Young found following. Local trusted and remote non-trusted
users with routes through firewall may bypass all Gauntlet
security rules. No activity will appear in the /var/log/messages
log file. Internal network scheme is exposed. This issue will
appear if you do the following in sequence:
1) Install BSDI 3.1
2) Install Gauntlet 5.0
3) Install BSDI patch M310-049
4) Install Gauntlet 5.0 kernel patch level 2
Other notes:
A) Behavior occurs if connection is through any adaptive proxy
(http-pdk), "old" proxy (http-gw) or no proxy at all (any
TCP connection).
B) Packets will not be NATed by firewall, so to be 100%
successful, a route will need to be published to get to
your internal network through your firewall.
C) As mentioned, nothing is ever logged in /var/log/messages
D) Adding NATs to Gauntlet does not change the packets.
How to reproduce? Network configuration:
[client]====[firewall]====[WWW/FTP-server]
(internal) (external)
Client/Server: either Win98 or RedHat Linux 6.0, P2-350, 128MB RAM
Firewall: P2-350, 256MB RAM, 10GB hard drive, any BSDI-compatible NIC
All network connections done via 10baseT crossover cables, however
users can be across hubs or routers. Listed here are the exact
steps needed to reproduce this problem.
1) Install BSDI 3.1, March 1998. Use automatic install,
however you may install minimal packages if you wish.
2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall
3) Install Gauntlet 5.0.
4) Reboot after installation.
5) Login as root.
6) Enter "Fast GUI Setup". Fill in appropriate Interface
settings for external and internal interfaces. If
necessary, configure ESPM hosts, DNS settings, and admin
users.
7) Quit gauntlet-admin, save changes, and rebuild.
8) After proxies have reconfigured, reboot machine.
9) Since M310-049 is required for Gauntlet kernel patch
install, and M310-046 is required for M310-049
installation, download both from
ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/
File info:
M310-046 1194 Kb Wed Oct 14 00:00:00 1998
M310-049 116 Kb Wed Dec 16 00:00:00 1998
Both patches are considered "OK" by the Gauntlet support
site: http://www.tis.com/support/bsd31.html
10) Bring machine to single-user mode by executing "kill -term
1".
11) Execute "perl5 M310-046 apply" to install BSDI libc patch.
12) Execute "perl5 M310-049 apply" to install IP DoS fix.
13) Execute "cd /sys/compile/GAUNTLET-V50/".
14) Build new kernel as required by M310-049 IP DoS kernel fix.
# make clean
# make depend
# make
15) After kernel is rebuilt, reboot machine.
16) Download Gauntlet 5.0 kernel and cluster patch:
File info:
cluster.BSDI.patch 12623 Kb Wed Sep 01 19:33:00 1999
kernel.BSDI.patch 414 Kb Wed Aug 04 17:54:00 1999
17) As noted in patch install directions, execute the following
# sh ./cluster.BSDI.patch
# sh ./kernel.BSDI.patch
# cd kernel.BSDI.patch
# sh ./apply
# cd ../cluster.BSDI.patch
# sh ./apply
18) After patches are installed, reboot machine.
19) Install ESPM-GUI on client machine. Start ESPM-GUI. Add
client machine to trusted network group. Apply changes.
20) Start web browser on client machine. Set web proxy setting
to internal interface of firewall. Attempt to connect to
external web server. Access is allowed. *This is correct.*
20) Remove http-gw from trusted network services. Apply
changes. Attempt to connect to external web server. Access
is denied. *This is correct.*
==Problem starts here==
21) Remove proxy setting in web browser on client machine. Set
gateway/default route on client machine to internal
interface of firewall. Set gateway/default route on server
machine to external interface of firewall.
22) Clear web browser cache. Attempt to connect to external web
server. Web page is downloaded with no logs in Gauntlet.
23) Start ESPM-GUI. Remove all services from trusted networks
services. Remove client machine from ESPM network group.
Apply changes.
24) FTP from client machine to server. FTP connection is made
though no rule exists.
25) Start telnet server on client machine. Telnet from server
to client. Telnet connection is made.
SOLUTION
Other Gauntlet 5.0 patched systems are not affected. Unpatched
Gauntlet 5.0 BSDI is not affected. Workaround:
A) Install M310-049 *before* installing Gauntlet 5.0.
B) A vendor patch/fix/suggestion is coming.
C) Workaround: NEITHER MYSELF, V-ONE, NOR NAI IS RESPONSIBLE
FOR THE CORRECT/INCORRECT USE OF THIS (DOING THIS MAY
ADVERSELY AFFECT YOUR SYSTEM AND MAY VOID TECH SUPPORT).
(as root)
1) # cp /usr/local/sys.gauntlet/i386/OBJ/ip_input.o /usr/src/sys/i386/OBJ
2) # sh /usr/local/sys.gauntlet/build_kernel/build_kernel 50.1
3) # reboot
NAI released a fix. You can download it from:
http://www.tis.com/support/patch50.html
This has been addressed in the kernel.BSDI.patch, patchlevel 3
that BSDi released yesterday for Gauntlet 5.0.