Security News > 2000 > May > Security Hole found in NAI Firewall
Forwarded From: John Kleinschmidt http://www.securityfocus.com/news/40 Security Hole found in NAI Firewall Censorware gaffe turns "World's Most Secure Firewall" into open door. By Kevin Poulsen May 22, 2000 7:48 AM PT A firewall package protecting thousands of networks worldwide contains a bug that would allow attackers to obtain "root" access remotely, potentially compromising the very networks the program was installed to protect, SecurityFocus News has learned. The vulnerability is in the Unix distribution of Network Associates Inc.'s (NAI) Gauntlet firewall suite, billed by the company as the "World's Most Secure Firewall." Jim Stickley, a San Diego-based computer security consultant with Garrison Technologies, discovered the bug while performing a security audit for a corporate client in Seattle, and reported it to NAI late Friday night. A team of a dozen company engineers scrambled to produce a fix over the weekend, which the company was preparing to distribute to customers Monday morning. The hole is the result of two flaws in Network Associate's integration of Mattel's Cyber Patrol filtering software into their feature-packed firewall product. In integrating Cyber Patrol, NAI programmers created a custom server that checks web address against the Cyber Patrol database, then approves or disapproves each connection going out through the firewall depending on whether it's permitted by a particular company's policy. That server contains a buffer overflow bug, and, further, mistakenly accepts connections from the outside world, Network Associates V.P. of Engineering Tom Ashoff confirmed Sunday. The bug affects Gauntlet for Unix versions 4.1, 4.2, 5.0 and 5.5, and the company's Web Shield line of products, but only if Cyber Patrol is running. The filtering program comes installed with Gauntlet and is on by default for 30 days. "After thirty days, if you don't register Cyber Patrol, it stops working and you're no longer vulnerable," said Stickley. The vulnerability means intruders can use a Gauntlet firewall as a point of entry into a corporate network, a potentially embarrassing development for security giant Network Associates.. "Once you've got root access on their firewall, you can scan their whole network," said Stickley Network Associates Vice President of Marketing Jim Ishikawa says the company has prepared a patch for the vulnerability, which it's making available to customers. The company issued an advisory Monday morning. "I think as with every kind of security product, it's an ongoing iterate process, continuously improving the product," said Ishikawa. "I think the key is rapid response, and I think we demonstrated that this weekend." ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".