Telecom and Logistics Associates	Security NEWs Service: TLAnews
publication: Christian ALT	TLAalert    Security Service
Translate this page from:  English to French  English to German  English to Italian  English to Portuguese  English to Spanish	Save Time and Money

23.5.2000 Security: Firewall Gauntlet Vulnerability Discovered by Garrison Engineer! Garrison Technologies engineer Jim Stickley recently discovered a vulnerability on Network Associates' Gauntlet Solaris and BSDI firewalls.  En français: Une vulnérabilité du firewall Gauntlet a été découverte par un ingénieur de Garrisson L'ingénieur Jim Stickley de chez Garrison Technologies, a récemment découvert une vulnérabilité sur le firewall Gauntlet de Network Associates, sous Solaris et BSDI.

The belief in a single line of defense against hackers can no longer exist." Though proof of concept code has been developed for BSDI and turned over by Jim to Network Associates, as of this date there has been no breach of security at any company due to this issue. "After I developed the proof of concept code and actually executed a command remotely on the firewall I just went numb," said Jim. "Keeping this information from leaking out was my main concern." After several days of continued development to better understand why such a breach could happen and how to quickly fix the issue, Jim contacted both Network Associates and Security Focus. A team of engineers were immediately assembled by NAI to verify and solve the issue. Jim was contacted by Tom Ashoff and Marvin Dickerson to give full details on how he had come to discover the vulnerability and every step he took to cause the exploit to gain root access. This information will later be made public after the commercial industry has had time to apply the fix Jim has released or the pending patch from Network Associates. "I assume other firewall companies will try to use this to their advantage," said Jim about this new information, "but I personally think this is just the beginning of something much larger. In my opinion every firewall has major vulnerabilities, I just happened upon Gauntlet first. This in no way changes my opinion about Gauntlet. I still think it's a great firewall. It just proves that one security device does not make a secure network. If you're not setting up ACL's on your routers, intrusion detection on your servers and networks, forcing two factor authentication on your users, and scheduling biannual audits, you are missing the bare minimum needed for a secure network."

The hole is the result of two flaws in Network Associate's integration of Mattel's Cyber Patrol filtering software into their feature-packed firewall product. In integrating Cyber Patrol, NAI programmers created a custom server that checks web address against the Cyber Patrol database, then approves or disapproves each connection going out through the firewall depending on whether it's permitted by a particular company's policy.

The bug affects Gauntlet for Unix versions 4.1, 4.2, 5.0 and 5.5, and the company's Web Shield line of products, but only if Cyber Patrol is running.

The software patch to close the security hole was released May 22 by Network Associates and is available for downloading on the company's Web site. The patch supports Gauntlet for Unix Versions 4.2, 5.0, and 5.5. The patch also should be applied to Network Associates' WebShield 100 and 300 series products, which are combined hardware/software bundles that include the Gauntlet firewall.

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.