Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Filtering devices spotting

From: "Ed3f" <ed3f () overminder com>
Date: Wed, 1 Jan 2003 14:27:08 +0100

************************ SECURITY ALERT ************************


Systems Affected

        100% of packet filtering systems included commercial
        embedded devices
        (no unaffected system known at the moment)


Risk

        low


Overview

        Multiple vendors' implementations of a packet filtering
        engine doesn't check the level 4 checksum.
        This could be used by an attacker to perform an active
        analysis of a firewall ruleset and use OS fingerprinting
        tools with firewall response packets. 


Description

        It's possible to spot a firewall by sending a single packet
        with a level 4 broken checksum if they are configured to
        reply. This problem is present even if a transparent bridge
        is used.

        Example:
        sending a TCP SYN you'll receive a RST-ACK.

        The complete study is available at:
        http://www.phrack.org/phrack/60/p60-0x0c.txt


Solution

        Disable reply.
        Apply the patch when available.



*************************   Ed3f   ********************0x000002*
Previous By Date Next
Previous By Thread Next

Current thread: