Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2000.107 -- Trusted Information Systems (TIS)
Gauntlet Firewall for Unix and WebShield cyberdaemon Buffer Overflow
Vulnerability Advisory
25 May 2000
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Gauntlet for Unix versions 4.1, 4.2, 5.0, 5.5
WebShield 300 series E-ppliance
WebShield For Solaris 4.0
WebShield 100 series E-ppliance
Vendor: Trusted Information Systems
Network Associates
Operating System: Solaris
BSDI
Unix
Platform: N/A
Impact: Root Compromise
Denial of Service
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
http://www.tis.com/support/cyberadvisory.html
Gauntlet Firewall for Unix and WebShield cyberdaemon Buffer Overflow Vulnerability Advisory
Created: May 21, 2000
Updated: May 21, 2000
Author(s): Gauntlet Firewall Engineering
Comment: n/a
Background:
A security vulnerability has been discovered on the following products:
Gauntlet for Unix versions 4.1, 4.2, 5.0, 5.5
WebShield 300 series E-ppliance
WebShield For Solaris 4.0
WebShield 100 series E-ppliance
This security vulnerability is a Buffer Overflow with the CyberPatrol daemon that can cause a Denial of Service (DOS) for HTTP traffic
through the specified products.
The CyberPatrol daemon "cyberdaemon" is used to enforce CyberPatrol policy in conjunction with the HTTP proxy. The DOS attack
results in the cyberdaemon crashing and dumping a core file, thus preventing the HTTP proxy from checking the CyberPatrol policy which
results in failure to accept new connections.
In addition to the DOS attack, it is possible to exploit this Buffer Overflow vulnerability to execute arbitrary shell commands as root on
the Firewall. This extension of the attack was replicated on the BSDI version of the Gauntlet Firewall.
Solution:
A Patch to repair this vulnerability is available for all products listed above except for Gauntlet 4.1. Gauntlet 4.1 customers should apply
the manual workaround with closes this vulnerability, documented below.
See the Patch Page to select your version of Gauntlet or WebShield and download the appropriate patch.
This patch is a mandatory patch that includes a new version of the CyberPatrol daemon, cyberdaemon. If patching the system is not
possible at this point in time, the manual workaround procedures for each product are documented below.
Workarounds for Gauntlet Firewall and WebShield 300 E-ppliance
These instructions apply to the following products:
Gauntlet for Unix versions 4.1, 4.2, 5.0, 5.5 and
WebShield 300 series E-ppliance.
There are two possible workarounds for the cyberdaemon Buffer Overflow Vulnerability, depending on whether or not you are using
CyberPatrol:
1) If you are NOT using CyberPatrol, Shut off the cyberdaemon.
This is accomplished by using the text-based admin utility on the firewall.
a. For the Gauntlet firewall series, log onto the console of the firewall or telnet into the firewall (if connections to localhost are
permitted.) For the WebShield 300 E-ppliance series, you can either use the custom cable that originally shipped with the product in
conjunction with a terminal program such as Hyperterminal to establish a serial connection to the machine, or if connections to localhost
are permitted, you can telnet to the E-ppliance and log in that way
b. Start the text-based admin utility by entering "gauntlet-admin" for any version of the Gauntlet firewall or entering "webshield-admin"
for the Webshield 300 series
c. Using the arrow keys, go to Basic System Configuration, press Enter
d. Arrow down to Proxy Configuration, press Enter
e. Arrow down to CyberPatrol, press Enter
f. Arrow down to change the 'on' value to 'off'
g. TAB to the Save option, press Enter
h. TAB to Return to Previous Menu, press Enter
i. TAB to Return to Previous Menu, press Enter
j. TAB to Finish Configuration, press Enter
k. Select Quit and Update Configuration, press Enter
l. Type y and press Enter, press Enter again
At this point, the CyberPatrol daemon is no longer running and CyberPatrol functionality is no longer available. You can check this by
entering:
ps -ef|grep cyber (Solaris and HP systems)
ps -aux|grep cyber (BSD/OS systems)
The only output you should see is the grep for cyber.
2) If you are using CyberPatrol and would like to continue using it, create a packet filter rule to disallow any connections to port
8999 on the firewall.
To configure this through the GUI:
a. Start the GUI and connect to the firewall
b. Double Click on Environment - Local Filter Rules
c. Click Add
d. Choose * for all interfaces
e. Choose ALL under "protocol selection"
f. Choose Deny Traffic from the Access filter drop down menu
g. In the Source IP, enter 0.0.0.0 for the IP and 0.0.0.0 for the Netmask
h. For Source Port, enter * and *
i. In the Destination IP, enter 0.0.0.0 for the IP and 0.0.0.0 for the Netmask
j. For Destination Port, enter 8999 and 8999
k. Click OK
l. Click the Save Icon
m. When prompted, choose Yes to Save and Apply.
To configure this using gauntlet-admin or webshield-admin:
a. Start the utility (gauntlet-admin or webshield-admin)
b. Using the TAB, arrow and enter keys, go to OPTIONAL System Configuration, press Enter
c. Arrow down to Packet Screening Rules, press Enter
d. Arrow down to Edit local ruleset, press Enter
e. Select "new entry" and press Enter
f. Arrow to Deny for the "Type" section
g. Tab to interface, enter *
h. Tab to protocol, enter *
i. Tab to Source port, enter *
j. Tab to Source Address, enter 0.0.0.0
k. Tab to Source Mask, enter 0.0.0.0
l. Tab to Destination Port, enter 8999
m. Tab to Destination Address, enter 0.0.0.0
n. Tab to Destination Mask, enter 0.0.0.0
o. Tab to Save, press Enter
p. Tab to Return to Previous menu, press Enter
q. Tab to Return to Previous menu, press Enter
r. Arrow to Return, press Enter
s. Tab to Return to Previous menu, press Enter
t. Tab to Finish Configuration, press Enter
u. Highlight Quit and Update Configuration, press Enter
v. Type y, press Enter
At this point, you will have a packet filtering rule which will deny any connection to port 8999 on the firewall. There is no need for any
external connections to this port, as all necessary functions for CyberPatrol are handled locally.
Workaround for WebShield For Solaris and WebShield 100 Series E-ppliances
These instructions apply to the following products
WebShield for Solaris 4.0 and
WebShield 100 series E-ppliance
The workaround for the cyberdaemon Buffer Overflow Vulnerability on a WebShield for Solaris product or a WebShield 100 E-ppliance is
to disable the cyberdaemon. The following steps should be taken:
STEP 1:
# cd /usr/local/etc/mgmt/rc
STEP 2:
# ./s115cyberpatrol stop
STEP 3:
# cd /usr/local/etc/mgmt
STEP 4:
# vi gauntlet.conf
Search for the cyberpatrol section by doing the following command:
/cyberdaemon
You should see a section like this:
def_proxy_12_name=cyberpatrol
def_proxy_12_realname=cyberpatrol
def_proxy_12_num_parms=8
def_proxy_12_parm_1_name=child-limit
def_proxy_12_parm_1_value=
def_proxy_12_parm_2_name=userid
def_proxy_12_parm_2_value=
def_proxy_12_parm_3_name=groupid
def_proxy_12_parm_3_value=
def_proxy_12_parm_4_name=directory
def_proxy_12_parm_4_value=
def_proxy_12_parm_5_name=proxy-exec
def_proxy_12_parm_5_value=./cyberdaemon
def_proxy_12_parm_6_name=state
def_proxy_12_parm_6_value=on
def_proxy_12_parm_7_name=bind-port
def_proxy_12_parm_7_value=8999
def_proxy_12_parm_8_name=proxy-type
def_proxy_12_parm_8_value=cyberdaemon
Change the "state" value from on to off. This is done by changing the value in the line
def_proxy_12_parm_6_value=on
to
def_proxy_12_parm_6_value=off
The numbers may differ, but as you can see in the block shown above, the parameters are "grouped" together by their "def_proxy_#". If
the def_proxy_# of the line that you are changing is different from the first line you found when you searched for "cyber", you are changing
the wrong value. Please don't do that. Once you have finished, write and quit out of vi.
:wq!
STEP 5:
# update TEXT
You will see the following message:
Configuration file updated
Rebuild system configuration files?
STEP 6: Type "y" and press Enter You will see the following messages:
Performing substitutions on /etc/netstart...
Performing substitutions on /etc/mail/aliases ...
Rebuilding /etc/mail/aliases database...
/etc/mail/aliases: 11 aliases, longest 10 bytes, 126 bytes total
Performing substitutions on /usr/local/etc/netperm-table...
Performing substitutions on /etc/hosts...
Performing substitutions on crontab file(s)...
Updating crontabs for root and uucp.
Performing substitutions on /etc/mail/sendmail.cf ...
Performing substitutions on /etc/resolv.conf
Not rebuilding DNS files
Done substitutions.
See if proxies changed state and stop or start as needed.
If you changed the network address of the system, you will need
to reboot (or sh /etc/netstart) in order for the change to take effect.
#
End of Advisory.
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOXXSvCh9+71yA2DNAQF1KQQAhy78BCnHBXelaLvejWFtpvYF6ha9HmQK
pN4CALCO0g2a8R2qM+IRZvn58aj6Le9Mg/PgNEkQGsG4EYLJmlaTrNwyAPcJp3yE
8TJ4tJ8OVl4LYfdxirhVv/5bYDQwTmcSr2qGCMhqa7FAWhk0KzUr7wJr9vM6RipB
7MfkgYjxofY=
=TznB
-----END PGP SIGNATURE-----