Digg this story   Add to del.icio.us  
Security Hole found in NAI Firewall
Kevin Poulsen, SecurityFocus 2000-05-22

Censorware gaffe turns "World's Most Secure Firewall" into an open door.

A firewall package protecting thousands of networks worldwide contains a bug that would allow attackers to obtain "root" access remotely, potentially compromising the very networks the program was installed to protect, SecurityFocus News has learned.

The vulnerability is in the Unix distribution of Network Associates Inc.'s (NAI) Gauntlet firewall suite, billed by the company as the "World's Most Secure Firewall." Jim Stickley, a San Diego-based computer security consultant with Garrison Technologies, discovered the bug while performing a security audit for a corporate client in Seattle, and reported it to NAI late Friday night. A team of a dozen company engineers scrambled to produce a fix over the weekend, which the company was preparing to distribute to customers Monday morning.

The hole is the result of two flaws in Network Associate's integration of Mattel's Cyber Patrol filtering software into their feature-packed firewall product. In integrating Cyber Patrol, NAI programmers created a custom server that checks web address against the Cyber Patrol database, then approves or disapproves each connection going out through the firewall depending on whether it's permitted by a particular company's policy.

That server contains a buffer overflow bug, and, further, mistakenly accepts connections from the outside world, Network Associates V.P. of Engineering Tom Ashoff confirmed Sunday.

The bug affects Gauntlet for Unix versions 4.1, 4.2, 5.0 and 5.5, and the company's Web Shield line of products, but only if Cyber Patrol is running. The filtering program comes installed with Gauntlet and is on by default for 30 days. "After thirty days, if you don't register Cyber Patrol, it stops working and you're no longer vulnerable," said Stickley.

The vulnerability is a potentially embarrassing development for security giant Network Associates, since it means intruders may have been using Gauntlet firewalls as a point of entry into corporate networks. "Once you've got root access on their firewall, you can scan their whole network," said Stickley

Network Associates Vice President of Marketing Jim Ishikawa said the company has prepared a patch for the vulnerability, which it's making available to customers. The company issued an advisory Monday morning.

"I think as with every kind of security product, it's an ongoing iterate process, continuously improving the product," said Ishikawa. "I think the key is rapid response, and I think we demonstrated that this weekend."

    Digg this story   Add to del.icio.us  
Comments Mode:
The key is not "quick response" 2000-05-22
Anonymous (1 replies)
Quick Response is a 'MUST' 2000-05-22
Anonymous (2 replies)
Quick Response is a 'MUST' 2000-05-24
Anonymous
Quick Response is a 'MUST' 2000-05-26
Anonymous
This is HUGE 2000-05-22
Anonymous
NAI and Gauntlet 2000-05-23
Anonymous
Security in depth is a good policy 2000-05-23
Anonymous (1 replies)
No comment! 2000-05-24
Anonymous
The scary thing... 2000-05-26
Anonymous
Simplicity 2000-05-29
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus