Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.107 -- Trusted Information Systems (TIS) Gauntlet Firewall for Unix and WebShield cyberdaemon Buffer Overflow Vulnerability Advisory 25 May 2000 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Gauntlet for Unix versions 4.1, 4.2, 5.0, 5.5 WebShield 300 series E-ppliance WebShield For Solaris 4.0 WebShield 100 series E-ppliance Vendor: Trusted Information Systems Network Associates Operating System: Solaris BSDI Unix Platform: N/A Impact: Root Compromise Denial of Service Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- http://www.tis.com/support/cyberadvisory.html Gauntlet Firewall for Unix and WebShield cyberdaemon Buffer Overflow Vulnerability Advisory Created: May 21, 2000 Updated: May 21, 2000 Author(s): Gauntlet Firewall Engineering Comment: n/a Background: A security vulnerability has been discovered on the following products: Gauntlet for Unix versions 4.1, 4.2, 5.0, 5.5 WebShield 300 series E-ppliance WebShield For Solaris 4.0 WebShield 100 series E-ppliance This security vulnerability is a Buffer Overflow with the CyberPatrol daemon that can cause a Denial of Service (DOS) for HTTP traffic through the specified products. The CyberPatrol daemon "cyberdaemon" is used to enforce CyberPatrol policy in conjunction with the HTTP proxy. The DOS attack results in the cyberdaemon crashing and dumping a core file, thus preventing the HTTP proxy from checking the CyberPatrol policy which results in failure to accept new connections. In addition to the DOS attack, it is possible to exploit this Buffer Overflow vulnerability to execute arbitrary shell commands as root on the Firewall. This extension of the attack was replicated on the BSDI version of the Gauntlet Firewall. Solution: A Patch to repair this vulnerability is available for all products listed above except for Gauntlet 4.1. Gauntlet 4.1 customers should apply the manual workaround with closes this vulnerability, documented below. See the Patch Page to select your version of Gauntlet or WebShield and download the appropriate patch. This patch is a mandatory patch that includes a new version of the CyberPatrol daemon, cyberdaemon. If patching the system is not possible at this point in time, the manual workaround procedures for each product are documented below. Workarounds for Gauntlet Firewall and WebShield 300 E-ppliance These instructions apply to the following products: Gauntlet for Unix versions 4.1, 4.2, 5.0, 5.5 and WebShield 300 series E-ppliance. There are two possible workarounds for the cyberdaemon Buffer Overflow Vulnerability, depending on whether or not you are using CyberPatrol: 1) If you are NOT using CyberPatrol, Shut off the cyberdaemon. This is accomplished by using the text-based admin utility on the firewall. a. For the Gauntlet firewall series, log onto the console of the firewall or telnet into the firewall (if connections to localhost are permitted.) For the WebShield 300 E-ppliance series, you can either use the custom cable that originally shipped with the product in conjunction with a terminal program such as Hyperterminal to establish a serial connection to the machine, or if connections to localhost are permitted, you can telnet to the E-ppliance and log in that way b. Start the text-based admin utility by entering "gauntlet-admin" for any version of the Gauntlet firewall or entering "webshield-admin" for the Webshield 300 series c. Using the arrow keys, go to Basic System Configuration, press Enter d. Arrow down to Proxy Configuration, press Enter e. Arrow down to CyberPatrol, press Enter f. Arrow down to change the 'on' value to 'off' g. TAB to the Save option, press Enter h. TAB to Return to Previous Menu, press Enter i. TAB to Return to Previous Menu, press Enter j. TAB to Finish Configuration, press Enter k. Select Quit and Update Configuration, press Enter l. Type y and press Enter, press Enter again At this point, the CyberPatrol daemon is no longer running and CyberPatrol functionality is no longer available. You can check this by entering: ps -ef|grep cyber (Solaris and HP systems) ps -aux|grep cyber (BSD/OS systems) The only output you should see is the grep for cyber. 2) If you are using CyberPatrol and would like to continue using it, create a packet filter rule to disallow any connections to port 8999 on the firewall. To configure this through the GUI: a. Start the GUI and connect to the firewall b. Double Click on Environment - Local Filter Rules c. Click Add d. Choose * for all interfaces e. Choose ALL under "protocol selection" f. Choose Deny Traffic from the Access filter drop down menu g. In the Source IP, enter 0.0.0.0 for the IP and 0.0.0.0 for the Netmask h. For Source Port, enter * and * i. In the Destination IP, enter 0.0.0.0 for the IP and 0.0.0.0 for the Netmask j. For Destination Port, enter 8999 and 8999 k. Click OK l. Click the Save Icon m. When prompted, choose Yes to Save and Apply. To configure this using gauntlet-admin or webshield-admin: a. Start the utility (gauntlet-admin or webshield-admin) b. Using the TAB, arrow and enter keys, go to OPTIONAL System Configuration, press Enter c. Arrow down to Packet Screening Rules, press Enter d. Arrow down to Edit local ruleset, press Enter e. Select "new entry" and press Enter f. Arrow to Deny for the "Type" section g. Tab to interface, enter * h. Tab to protocol, enter * i. Tab to Source port, enter * j. Tab to Source Address, enter 0.0.0.0 k. Tab to Source Mask, enter 0.0.0.0 l. Tab to Destination Port, enter 8999 m. Tab to Destination Address, enter 0.0.0.0 n. Tab to Destination Mask, enter 0.0.0.0 o. Tab to Save, press Enter p. Tab to Return to Previous menu, press Enter q. Tab to Return to Previous menu, press Enter r. Arrow to Return, press Enter s. Tab to Return to Previous menu, press Enter t. Tab to Finish Configuration, press Enter u. Highlight Quit and Update Configuration, press Enter v. Type y, press Enter At this point, you will have a packet filtering rule which will deny any connection to port 8999 on the firewall. There is no need for any external connections to this port, as all necessary functions for CyberPatrol are handled locally. Workaround for WebShield For Solaris and WebShield 100 Series E-ppliances These instructions apply to the following products WebShield for Solaris 4.0 and WebShield 100 series E-ppliance The workaround for the cyberdaemon Buffer Overflow Vulnerability on a WebShield for Solaris product or a WebShield 100 E-ppliance is to disable the cyberdaemon. The following steps should be taken: STEP 1: # cd /usr/local/etc/mgmt/rc STEP 2: # ./s115cyberpatrol stop STEP 3: # cd /usr/local/etc/mgmt STEP 4: # vi gauntlet.conf Search for the cyberpatrol section by doing the following command: /cyberdaemon You should see a section like this: def_proxy_12_name=cyberpatrol def_proxy_12_realname=cyberpatrol def_proxy_12_num_parms=8 def_proxy_12_parm_1_name=child-limit def_proxy_12_parm_1_value= def_proxy_12_parm_2_name=userid def_proxy_12_parm_2_value= def_proxy_12_parm_3_name=groupid def_proxy_12_parm_3_value= def_proxy_12_parm_4_name=directory def_proxy_12_parm_4_value= def_proxy_12_parm_5_name=proxy-exec def_proxy_12_parm_5_value=./cyberdaemon def_proxy_12_parm_6_name=state def_proxy_12_parm_6_value=on def_proxy_12_parm_7_name=bind-port def_proxy_12_parm_7_value=8999 def_proxy_12_parm_8_name=proxy-type def_proxy_12_parm_8_value=cyberdaemon Change the "state" value from on to off. This is done by changing the value in the line def_proxy_12_parm_6_value=on to def_proxy_12_parm_6_value=off The numbers may differ, but as you can see in the block shown above, the parameters are "grouped" together by their "def_proxy_#". If the def_proxy_# of the line that you are changing is different from the first line you found when you searched for "cyber", you are changing the wrong value. Please don't do that. Once you have finished, write and quit out of vi. :wq! STEP 5: # update TEXT You will see the following message: Configuration file updated Rebuild system configuration files? STEP 6: Type "y" and press Enter You will see the following messages: Performing substitutions on /etc/netstart... Performing substitutions on /etc/mail/aliases ... Rebuilding /etc/mail/aliases database... /etc/mail/aliases: 11 aliases, longest 10 bytes, 126 bytes total Performing substitutions on /usr/local/etc/netperm-table... Performing substitutions on /etc/hosts... Performing substitutions on crontab file(s)... Updating crontabs for root and uucp. Performing substitutions on /etc/mail/sendmail.cf ... Performing substitutions on /etc/resolv.conf Not rebuilding DNS files Done substitutions. See if proxies changed state and stop or start as needed. If you changed the network address of the system, you will need to reboot (or sh /etc/netstart) in order for the change to take effect. # End of Advisory. - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOXXSvCh9+71yA2DNAQF1KQQAhy78BCnHBXelaLvejWFtpvYF6ha9HmQK pN4CALCO0g2a8R2qM+IRZvn58aj6Le9Mg/PgNEkQGsG4EYLJmlaTrNwyAPcJp3yE 8TJ4tJ8OVl4LYfdxirhVv/5bYDQwTmcSr2qGCMhqa7FAWhk0KzUr7wJr9vM6RipB 7MfkgYjxofY= =TznB -----END PGP SIGNATURE-----