Re: Sidewinder G2

[Goetz Von Berlichingen <goetzvonberlichingen () comcast net>]

Paul Niranjan wrote:

> Comments please

  The problem is that this is a typical press release with no real content.

...
> The Sidewinder G2 Firewall, protected by Secure Computing's patented
> Type EnforcementR technology, is fully capable of defending itself
> against this attack without incident and will continue passing only
> legitimate mail messages on to internal mail servers. Furthermore, if a
> mail message containing this attack is processed on the Sidewinder G2
> Firewall for mail-forwarding services, the malicious 'attack code'
> embedded in the message is automatically manipulated, rendering the
> attack benign before the Sidewinder G2 Firewall delivers it to any
> internal Sendmail servers. Weaker stateful inspection firewalls that
> often claim speed as their number one value proposition will pass the
> malicious code in question directly through to internal mail servers. 

  There is a lot of assertion in the above paragraph, but nothing as to 
how.  It seems to imply that the Sidewinder sendmail is acting as a 
proxy, not a real mail server.  This makes sense as an application layer 
proxy for mail is easier (and cheaper) to implement than writing an all 
new proxy.
  I'm now into the realm of speculation, but I think that the G2 has a 
minimal sendmail configured to act as a forwarding MTA to the protected 
enclave's real mail server.  I doubt if the G2 also runs a POP3 or IMAP 
server for direct client access.

> "Secure Computing's Sidewinder G2 Firewall offers a defense against
> Sendmail attacks because it contains an embedded SecureOST operating
> system, application proxy architecture, and its own secure Sendmail
> server," said Charles Kolodgy, research director, Security Products at
> IDC. "Even more significant is Sidewinder's potential to defend against
> possible Sendmail attacks without any patches." 

  This implies that they have modified sendmail on their platform.  Or 
perhaps Mr. Kolodgy is fudging a little and claiming a custom sendmail 
on the basis of custom configuration and MAC policy.

> This high profile attack is very dangerous as it can be used to take
> complete root control of Sendmail servers, thus giving the attacker a
> strong foothold on internal networks from anywhere across the Internet.
> Since the attack is message-oriented (application layer) as opposed to
> connection-oriented (packet layer), only Layer 7 application firewalls
> like the Sidewinder G2 Firewall can stop the attack at the perimeter.

  They seem to be claiming that their sendmail will repackage the 
message rather than just add a Received: line in the mail header.  I 
don't do sendmail enough to know whether this is possible.  The more I 
think on this, the more I'm convinced that they don't do address 
checking in their sendmail (which is a Bad Thing if they really are 
selling their firewall as a mail server).

... In
> addition, Sidewinder's natively embedded intrusion detection, real-time
> forensics, and automated alerting system called StrikebackR would
> trigger multiple security alarms in the case of this remote buffer
> overflow Sendmail attack. 

  I love systems like these.  Instead of modififying the logs, one 
simply floods them to the point that admins don't read them.

> "Most organizations that run traditional stateful inspection firewalls,
> and companies that manufacture them, are looking at very serious
> security risks and reactive, preventive, steps to remove those risks,"
> said Mike Gallagher, vice president and general manager of the network
> security division at Secure Computing. "Sidewinder G2 customers,
> however, have no panic situation occurring because they know that
> Sidewinder's hybrid architecture renders this attack useless against
> both the hosted Sendmail services on Sidewinder G2 and any targeted
> Sendmail services behind the firewall." 

  More than ever, I'm convinced that Sidewinder dodged this bullet more 
by luck than skill.  I think that the Sidewinder firewall has a sendmail 
configured to act as a proxy that doesn't do address checking.  Since it 
doesn't do address checking, it wasn't vulnerable to the attack.  The 
repackaging of the mail messages in proxy mode probably meant that the 
Sidewinder sendmail uses some sort of alternate address translation (a 
lookup table?) that completely changed the attack addresses (or dropped 
them as not having a corresponding internal address).

Goetz


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html