AERAsec - Network Security - Current Security Messages

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Some of the files are transferred by FTP.

By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

Here you find our network security search engine!

This is some information you send:
Your Browser	CCBot/2.0
Your IP address	ec2-184-72-91-94.compute-1.amazonaws.com [184.72.91.94]
Your referer	(filtered or not existing)

Current month, Last month, Last 10 messages, Last 20 messages (index only)

Chosen message with ID ae-200207-028

System:	Pyramid BenHur Firewall
Topic:	Portfilter ruleset for active FTP results in a firewall leak
Links:	ae-200207-028-BenHur-activeFTPruleset, Pyramid, SecuriTeam, Security+Bugware #5548
ID:	ae-200207-028

Pyramid's BenHur firewall is based on Debian Linux with kernel 2.2.x. It uses the kernel built-in ipchains firewall capabilities. As known, ipchains is only a static portfilter (in contrast to iptables of 2.4.x).
The ruleset allowing active FTP from inside (client) to outside (server) is not perfect, leading to a vulnerability: An attacker may connect to TCP ports from 1024 and above using source port 20.
This can be very dangerous due to the possibility of connecting to port 8888, where the web-based admin GUI is listening. If the default password hasn't been changed, an attacker can remotly administrate the firewall via this GUI. There is no ACL on higher level enabled by default.

Pyramid has already released the experimental update 067 which closes this hole. It's available for customers through the built-in update mechanism or at URL https://www.ben-hur.de/updates_experimental/.

In cases where no update is possible, the port filter should be at least changed like described in file'/etc/init.d/ben-hur.ipchains' to prevent access to all ports from 1024 and above:

Old:
$IPCHAINS -A input --source-port 20 -d $WORLD 1024:65096 -p tcp -i $IFACE_WWW -j ACCEPT $IPCHAINS -A output --source-port 20 -d $HOME 1024:65096 -p tcp -i $IFACE_LAN -j ACCEPT
New:
# For masquerading of aktive FTP $IPCHAINS -A input --source-port 20 -d $WORLD 61000:65095 -p tcp -i $IFACE_WWW -j ACCEPT $IPCHAINS -A output --source-port 20 -d $HOME 1024:65535 -p tcp -i $IFACE_LAN -j ACCEPT
More details are available in our long advisory in text format ae-200207-028-BenHur-activeFTPruleset.