SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Firewall)  >   Symantec Enterprise Firewall (Raptor) Vendors:   Symantec
Symantec (Axent) Raptor Firewall May Allow Unauthorized Access Through the Firewall Using the HTTP Protocol
SecurityTracker Alert ID:  1001153
SecurityTracker URL:  http://securitytracker.com/id/1001153
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 26 2001
Impact:   Host/resource access via network
Fix Available:  Yes  Exploit Included:  Yes  
Version(s): 6.5
Description:   The Symantec Raptor firewall contains a vulnerability that may allow unauthorized users to traverse the firewall and access unauthorized ports using the HTTP protocol.

The Raptor firewall reportedly allows the forwarding of http requests on port numbers other than the standard port number (80) if a rule allowing http traffic is configured.

When an internal or external web browser is configured to use the the nearest interface of the firewall as a web proxy, it is apparently possible for that web browser to traverse the firewall and access ports other than port 80 on the destination host.

Only the http protocol is permitted and only certain ranges of TCP destination ports are permitted:

TCP ports 79-99 and 200-65535.

If a port outside this range is targeted, the firewall will issue an Alert.
Impact:   A remote user could access ports on hosts on a protected network using http when the firewall is configured to allow http to the host(s).
Solution:   Apply vendor patches. See the author's configuratoin recommendations.
Vendor URL:  www.symantec.com (Links to External Site)
Cause:   Access control error
Underlying OS:   UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Re: Symantec (Axent) Raptor Firewall May Allow Unauthorized Access Through the Firewall Using the HTTP Protocol   (Alexander Bochmann <ab@GXIS.DE>)
A user provides additional information.
(Vendor Responds That This is Not a Product Vulnerability) Re: Symantec (Axent) Raptor Firewall May Allow Unauthorized Access Through the Firewall Using the HTTP Protocol   (William Aguilar <WAguilar@SYMANTEC.COM>)
The vendor responds that this is not a vulnerability and provide supporting details and recommendations.


 Source Message Contents
Date:  Sat, 24 Mar 2001 17:55:29 +0100
Subject:  Raptor 6.5 http vulnerability


1. Problem Description

	The Raptor firewall is vulnerability for forwarding http
	request on other port numbers than 80, if a rule allows http
	traffic.

	Redirect rules does not affect this problem.

	When an extern or internal client, configures itself to use
	the nearest interface as proxy, it's possible to access other
	ports that 80 on the target host.

	Only the http protocol is allowed and only to a range of TCP
	ports:

		TCP, 79-99 and TCP, 200-65535.

	If a port outside this range is targeted, an Alert
	will be issued.

	An example of what is vulnerability could be used for:

		Setting a Raptor firewall up, allowing Universe to
		access a local web server (host: webserver), listening
		on port 80 (normal website) and 2000 (admin
		site). This would give external users access to the
		admin site listening on port 2000, if the client is
		configured to use the external interface as a proxy
		server (for lynx: "export http_proxy =
		http://external-interface:80/ ; lynx
		http://webserver:2000/").
	
	This works not only for external users, but also for internal
	users.

	Testing of the Secure Socket Layer has not been performed.



2. Vulnerable Versions

	Raptor firewall 6.5.

2.1 Non Vulnerable Versions

	Raptor firewall 6.0.2.
	Older versions, not tested.

3. Solution

	1. Use httpd.noproxy in the affected rule.

	2. Downgrade to version 6.0.2

	3.  Apply hotfix SG6500-20000920-00 and SG6500-20001121-00,
	
ftp://ftp.axent.com/pub/RaptorFirewall/Patches/6.50/Internal/http-int.zip

	  Hot Fix SG6500-20000920-00 9/20/2000

	  if client uses firewall as proxy, firewall will forward
	  request to ports other than 80 on server. this vulnerability
	  is fixed by closing all ports for proxy except 80 and port
	  specified by httpd.allow_proxy_to_port_xxx=1.

	  Hot Fix SG6500-20001121-00 11/21/2000

	  this hotfix removes the implementation of
	  httpd.allow_proxy_to_port_xxx.  Without this implementation,
	  firewall could be used as proxy to access (inbound and
	  outbound) http ports other than 80.

3.1 Workaround:

	1. Disable the http proxy, and use the TCP proxy. But this
	will introduce other security concerns.

	2. Disable other listeners at the webserver.


4. References

	Found by:

	Benny Amorsen, benny_amorsen@hp.com and
	Christian E. Lysel, chlys@wmdata.com

	Reported to Axent the 29th Aug 2000.

--
Christian E. Lysel, Senior Security Consultant,
WM-data Infra Solutions eCom, Lautrupvang 10, DK - 2750 Ballerup
Phone +45 44 78 40 00, Mob +45 44 78 40 29, Fax +45 44 78 40 04


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC