, SecurityFocus 2000-05-22
Censorware gaffe turns "World's Most Secure Firewall" into an open door.
Once you've got root access on their firewall, you can scan their whole network
The vulnerability is in the Unix distribution of Network Associates Inc.'s (NAI) Gauntlet firewall suite, billed by the company as the "World's Most Secure Firewall." Jim Stickley, a San Diego-based computer security consultant with Garrison Technologies, discovered the bug while performing a security audit for a corporate client in Seattle, and reported it to NAI late Friday night. A team of a dozen company engineers scrambled to produce a fix over the weekend, which the company was preparing to distribute to customers Monday morning.
The hole is the result of two flaws in Network Associate's integration of Mattel's Cyber Patrol filtering software into their feature-packed firewall product. In integrating Cyber Patrol, NAI programmers created a custom server that checks web address against the Cyber Patrol database, then approves or disapproves each connection going out through the firewall depending on whether it's permitted by a particular company's policy.
That server contains a buffer overflow bug, and, further, mistakenly accepts connections from the outside world, Network Associates V.P. of Engineering Tom Ashoff confirmed Sunday.
The bug affects Gauntlet for Unix versions 4.1, 4.2, 5.0 and 5.5, and the company's Web Shield line of products, but only if Cyber Patrol is running. The filtering program comes installed with Gauntlet and is on by default for 30 days. "After thirty days, if you don't register Cyber Patrol, it stops working and you're no longer vulnerable," said Stickley.
The vulnerability is a potentially embarrassing development for security giant Network Associates, since it means intruders may have been using Gauntlet firewalls as a point of entry into corporate networks. "Once you've got root access on their firewall, you can scan their whole network," said Stickley
Network Associates Vice President of Marketing Jim Ishikawa said the company has prepared a patch for the vulnerability, which it's making available to customers. The company issued an
"I think as with every kind of security product, it's an ongoing iterate process, continuously improving the product," said Ishikawa. "I think the key is rapid response, and I think we demonstrated that this weekend."