COMMAND
Raptor
SYSTEMS AFFECTED
Raptor 6.5
PROBLEM
Lysel Christian Emre found following. The Raptor firewall is
vulnerability for forwarding http request on other port numbers
than 80, if a rule allows http traffic. Redirect rules does not
affect this problem.
When an extern or internal client, configures itself to use the
nearest interface as proxy, it's possible to access other ports
that 80 on the target host.
Only the http protocol is allowed and only to a range of TCP
ports: TCP, 79-99 and TCP, 200-65535.
If a port outside this range is targeted, an Alert will be issued.
An example of what is vulnerability could be used for:
Setting a Raptor firewall up, allowing Universe to access a
local web server (host: webserver), listening on port 80
(normal website) and 2000 (admin site). This would give
external users access to the admin site listening on port
2000, if the client is configured to use the external
interface as a proxy server (for lynx: "export http_proxy =
http://external-interface:80/ ; lynx http://webserver:2000/").
This works not only for external users, but also for internal
users. Testing of the Secure Socket Layer has not been performed.
SOLUTION
1. Use httpd.noproxy in the affected rule.
2. Downgrade to version 6.0.2
3. Apply hotfix SG6500-20000920-00 and SG6500-20001121-00,
ftp://ftp.axent.com/pub/RaptorFirewall/Patches/6.50/Internal/http-int.zip
Hot Fix SG6500-20000920-00 9/20/2000
=====================================
If client uses firewall as proxy, firewall will forward request to
ports other than 80 on server. this vulnerability is fixed by
closing all ports for proxy except 80 and port specified by
httpd.allow_proxy_to_port_xxx=1.
Hot Fix SG6500-20001121-00 11/21/2000
=====================================
This hotfix removes the implementation of
httpd.allow_proxy_to_port_xxx. Without this implementation,
firewall could be used as proxy to access (inbound and outbound)
http ports other than 80.
Workaround:
1. Disable the http proxy, and use the TCP proxy. But this will
introduce other security concerns.
2. Disable other listeners at the webserver.
The patch can be downloaded from (for the international version):
ftp://ftp.axent.com/pub/RaptorFirewall/International/Patches/NT6.5/
If you're using service redirection on the Raptor system (for
example, for connections to your Web server) and you don't want
to allow users connecting through the Raptor system to be able to
use it as a proxy, create a Rule and enter the following into the
Advanced Services tab:
http.noproxy
This provides you with more security protection, in addition to
the added flexibility (vs. a packet filter or stateful inspection
product) since it eliminates the need for completely shutting
down the proxy capability of your internal Web servers.
Additionally, in an effort to provide the highest level of
managability and security to our customers, Raptor will introduce
an enhancement to their Management Console (GUI) whereby the
HTTP.NOPROXY functionality will be permanently exposed. They also
intend to change the default to disable the HTTP proxy capability
on all external interfaces, and leave it enabled on all internal
interfaces. This will provide your security administrator the
option to manage the default behavior as desired while defaulting
to a more secure initial state "out-of-the-box".