Full Disclosure mailing list archives
Re: Sidewinder G2
From: Goetz Von Berlichingen <goetzvonberlichingen () comcast net>
Date: Tue, 18 Nov 2003 08:32:02 -0700
Paul Niranjan wrote:
Comments please
The problem is that this is a typical press release with no real content. ...
The Sidewinder G2 Firewall, protected by Secure Computing's patented Type EnforcementR technology, is fully capable of defending itself against this attack without incident and will continue passing only legitimate mail messages on to internal mail servers. Furthermore, if a mail message containing this attack is processed on the Sidewinder G2 Firewall for mail-forwarding services, the malicious 'attack code' embedded in the message is automatically manipulated, rendering the attack benign before the Sidewinder G2 Firewall delivers it to any internal Sendmail servers. Weaker stateful inspection firewalls that often claim speed as their number one value proposition will pass themalicious code in question directly through to internal mail servers.
There is a lot of assertion in the above paragraph, but nothing as to how. It seems to imply that the Sidewinder sendmail is acting as a proxy, not a real mail server. This makes sense as an application layer proxy for mail is easier (and cheaper) to implement than writing an all new proxy. I'm now into the realm of speculation, but I think that the G2 has a minimal sendmail configured to act as a forwarding MTA to the protected enclave's real mail server. I doubt if the G2 also runs a POP3 or IMAP server for direct client access.
"Secure Computing's Sidewinder G2 Firewall offers a defense against Sendmail attacks because it contains an embedded SecureOST operating system, application proxy architecture, and its own secure Sendmail server," said Charles Kolodgy, research director, Security Products at IDC. "Even more significant is Sidewinder's potential to defend againstpossible Sendmail attacks without any patches."
This implies that they have modified sendmail on their platform. Or perhaps Mr. Kolodgy is fudging a little and claiming a custom sendmail on the basis of custom configuration and MAC policy.
This high profile attack is very dangerous as it can be used to take complete root control of Sendmail servers, thus giving the attacker a strong foothold on internal networks from anywhere across the Internet. Since the attack is message-oriented (application layer) as opposed to connection-oriented (packet layer), only Layer 7 application firewalls like the Sidewinder G2 Firewall can stop the attack at the perimeter.
They seem to be claiming that their sendmail will repackage the message rather than just add a Received: line in the mail header. I don't do sendmail enough to know whether this is possible. The more I think on this, the more I'm convinced that they don't do address checking in their sendmail (which is a Bad Thing if they really are selling their firewall as a mail server).
... In
addition, Sidewinder's natively embedded intrusion detection, real-time forensics, and automated alerting system called StrikebackR would trigger multiple security alarms in the case of this remote bufferoverflow Sendmail attack.
I love systems like these. Instead of modififying the logs, one simply floods them to the point that admins don't read them.
"Most organizations that run traditional stateful inspection firewalls, and companies that manufacture them, are looking at very serious security risks and reactive, preventive, steps to remove those risks," said Mike Gallagher, vice president and general manager of the network security division at Secure Computing. "Sidewinder G2 customers, however, have no panic situation occurring because they know that Sidewinder's hybrid architecture renders this attack useless against both the hosted Sendmail services on Sidewinder G2 and any targetedSendmail services behind the firewall."
More than ever, I'm convinced that Sidewinder dodged this bullet more by luck than skill. I think that the Sidewinder firewall has a sendmail configured to act as a proxy that doesn't do address checking. Since it doesn't do address checking, it wasn't vulnerable to the attack. The repackaging of the mail messages in proxy mode probably meant that the Sidewinder sendmail uses some sort of alternate address translation (a lookup table?) that completely changed the attack addresses (or dropped them as not having a corresponding internal address).
Goetz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Sidewinder G2 Daniel Sichel (Nov 17)
- Re: Sidewinder G2 Shawn McMahon (Nov 17)
- Re: Sidewinder G2 Michael Gale (Nov 17)
- RE: Sidewinder G2 Paul Niranjan (Nov 18)
- Re: Sidewinder G2 Goetz Von Berlichingen (Nov 18)
- My take on the Newly discovered Exchange Flaw Lan Guy (Nov 18)
- Re: Sidewinder G2 Valdis . Kletnieks (Nov 18)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Sidewinder G2 Michael Gale (Nov 18)
- Re: Sidewinder G2 Valdis . Kletnieks (Nov 18)
- Message not available
- Message not available
- Re: Sidewinder G2 Michael Gale (Nov 18)
- Re: Sidewinder G2 Michael Gale (Nov 17)
- Re: Sidewinder G2 Shawn McMahon (Nov 17)
- <Possible follow-ups>
- RE: Sidewinder G2 Schmehl, Paul L (Nov 18)
- RE: Sidewinder G2 Ron DuFresne (Nov 20)
- RE: Sidewinder G2 Perrymon, Josh L. (Nov 18)