[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Sidewinder G2

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Sidewinder G2
From: Goetz Von Berlichingen <goetzvonberlichingen@comcast.net>
Date: Tue, 18 Nov 2003 08:32:02 -0700

Paul Niranjan wrote:

Comments please

The problem is that this is a typical press release with no real content.

...

The Sidewinder G2 Firewall, protected by Secure Computing's patented Type EnforcementR technology, is fully capable of defending itself against this attack without incident and will continue passing only legitimate mail messages on to internal mail servers. Furthermore, if a mail message containing this attack is processed on the Sidewinder G2 Firewall for mail-forwarding services, the malicious 'attack code' embedded in the message is automatically manipulated, rendering the attack benign before the Sidewinder G2 Firewall delivers it to any internal Sendmail servers. Weaker stateful inspection firewalls that often claim speed as their number one value proposition will pass the malicious code in question directly through to internal mail servers.

There is a lot of assertion in the above paragraph, but nothing as to how. It seems to imply that the Sidewinder sendmail is acting as a proxy, not a real mail server. This makes sense as an application layer proxy for mail is easier (and cheaper) to implement than writing an all new proxy. I'm now into the realm of speculation, but I think that the G2 has a minimal sendmail configured to act as a forwarding MTA to the protected enclave's real mail server. I doubt if the G2 also runs a POP3 or IMAP server for direct client access.

"Secure Computing's Sidewinder G2 Firewall offers a defense against Sendmail attacks because it contains an embedded SecureOST operating system, application proxy architecture, and its own secure Sendmail server," said Charles Kolodgy, research director, Security Products at IDC. "Even more significant is Sidewinder's potential to defend against possible Sendmail attacks without any patches."

This implies that they have modified sendmail on their platform. Or perhaps Mr. Kolodgy is fudging a little and claiming a custom sendmail on the basis of custom configuration and MAC policy.

This high profile attack is very dangerous as it can be used to take
complete root control of Sendmail servers, thus giving the attacker a
strong foothold on internal networks from anywhere across the Internet.
Since the attack is message-oriented (application layer) as opposed to
connection-oriented (packet layer), only Layer 7 application firewalls
like the Sidewinder G2 Firewall can stop the attack at the perimeter.

They seem to be claiming that their sendmail will repackage the message rather than just add a Received: line in the mail header. I don't do sendmail enough to know whether this is possible. The more I think on this, the more I'm convinced that they don't do address checking in their sendmail (which is a Bad Thing if they really are selling their firewall as a mail server).

... In

addition, Sidewinder's natively embedded intrusion detection, real-time forensics, and automated alerting system called StrikebackR would trigger multiple security alarms in the case of this remote buffer overflow Sendmail attack.

I love systems like these. Instead of modififying the logs, one simply floods them to the point that admins don't read them.

"Most organizations that run traditional stateful inspection firewalls, and companies that manufacture them, are looking at very serious security risks and reactive, preventive, steps to remove those risks," said Mike Gallagher, vice president and general manager of the network security division at Secure Computing. "Sidewinder G2 customers, however, have no panic situation occurring because they know that Sidewinder's hybrid architecture renders this attack useless against both the hosted Sendmail services on Sidewinder G2 and any targeted Sendmail services behind the firewall."

More than ever, I'm convinced that Sidewinder dodged this bullet more by luck than skill. I think that the Sidewinder firewall has a sendmail configured to act as a proxy that doesn't do address checking. Since it doesn't do address checking, it wasn't vulnerable to the attack. The repackaging of the mail messages in proxy mode probably meant that the Sidewinder sendmail uses some sort of alternate address translation (a lookup table?) that completely changed the attack addresses (or dropped them as not having a corresponding internal address).

Goetz


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Sidewinder G2
  - From: "Paul Niranjan" <niranjan@tasintegrators.com>

Prev by Date: [Full-Disclosure] SUSE Security Announcement: sane (SuSE-SA:2003:046)
Next by Date: RE: [Full-Disclosure] Sidewinder G2
Previous by thread: RE: [Full-Disclosure] Sidewinder G2
Next by thread: [Full-Disclosure] My take on the Newly discovered Exchange Flaw
Index(es):
- Date
- Thread