Firestorm – how to avoid the latest Next Generation Firewall vulnerability

A new, severe vulnerability in Next Generation Firewalls was earlier this week unveiled by cyber threat detection specialist, Cynet. The vulnerability, dubbed FireStorm, allows an internal entity or malicious code to interact and extract data out of an organisation, completely bypassing the firewall limitation.

It was discovered that the firewalls are designed to permit full TCP handshake regardless of the packet destination, in order to gather enough content for the firewall to identify which application protocol is being used (web-browsing/telnet etc.).

This is applicable if the devices are configured, for example, to allow web browsing (HTTP/S) traffic from the LAN environment to specific locations on the internet (URL Filtering). This is true even with a single location.

The vulnerability allowed specialists at Cynet to perform a full TCP handshake via the HTTP port with a C&C (Command and Control) on a self-hosted server. From there, the penetration testers were able to forge messages and tunnel them out through the TCP handshake process, bypassing the firewall to any destination on the Internet, regardless of firewall rules and client restrictions.

Firestorm blog - Firewall imageYou can read a full account of this Next Generation Firewall vulnerability on the Cynet blog, but what struck me was how this wouldn’t affect another type of technology, namely a guard.

The basic premise of why this doesn’t affect guards is due to the fact that they terminate the TCP connection! So the compromised client trying to contact the C&C server only sends the maliciously-crafted handshake to the guard which will terminate the TCP connection as opposed to forwarding it.

It then creates an entirely new connection by sending a clean SYN packet without the sensitive data to the destination (if the guard is configured to send to that destination), so there is no chance of data being exfiltrated by the client within the TCP handshake.

Firestorm blog - Guard imageIn summary, guards are all essentially explicit proxy servers (terminate session, extract payload, establish new session to pre-determined destination) rather than firewalls (generally just forward packets on and track the sessions). So any vulnerabilities affecting packet forwarding will therefore only apply to next generation firewalls and not have any impact on guards.