RE: Tunnel ports allowed on NetApp NetCaches

[Kevin O'Brien <kevino () eonline com>]

Also, I should note that we had this setup correctly (!all) in version 4 of
the OS.  NetApp seemed to imply that the upgrade from v4 to v5 caused this.
I guess in v4 a NULL value implies !all and the upgrade process replaces
NULL with +all (oops).

-=Kevin=-

-----Original Message-----
From: Kevin O'Brien 
Sent: Thursday, July 05, 2001 10:33 AM
To: bugtraq () securityfocus com
Subject: Tunnel ports allowed on NetApp NetCaches


We discovered a extremely dangerous option in our NetCaches.  There is an
option config.http.tunnel.allow_ports that is set by default to +all that
allows anyone to tunnel through your cache to any tcp port.  We discovered
this after we found people using it to send spam email by tunneling to port
25 on outside mail servers.

To see if you are affected, connect to the console of the NetCache (not to
the HTML gui) and type show config.http.tunnel.allow_ports.  If it says +all
you are allowing all ports to be tunneled.  To fix this, type set
config.http.tunnel.allow_ports !all.  This will disallow any tunneling.

If you have +all you will want to look through your logs for anything using
the CONNECT method instead of GET to see what ports outside people connected
to.  Fortunately, we only saw ports 443 and 25 to hosts outside our network.

BTW, I contacted NetApp on Friday about this and they are still trying to
write a Field Alert to their customers...and I thought M$ was slow.

Kevin O'Brien
Systems/Network Administrator
E! Online, LLC
323.692.4742
323.692.4700 fax