exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SYMSA-2007-005.txt

SYMSA-2007-005.txt
Posted Jul 11, 2007
Authored by James Hoagland, Ollie Whitehouse | Site symantec.com

Symantec Vulnerability Research SYMSA-2007-005 - Due to an implementation issue, the Windows Firewall does not apply firewall rules correctly on the Teredo Interface. This allows a level of remote access to TCP and UDP ports and services that exceeds what Microsoft expected and what an administrator would expect.

tags | advisory, remote, udp, tcp
systems | windows
advisories | CVE-2007-3038
SHA-256 | 7523939204b447c8348f1cf34b6663de6d7161f879fa100e8698124169ccbbfc

SYMSA-2007-005.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Symantec Vulnerability Research
http://www.symantec.com/research
Security Advisory

Advisory ID: SYMSA-2007-005
Advisory Title: Vista Windows Firewall Incorrectly Applies
Filtering to Teredo Interface
Author: Jim Hoagland / Ollie Whitehouse
Release Date: 10-07-2007
Application: Windows Firewall (Vista version)
Platform: Windows Vista (RTM and RC2 builds known affected;
XP, 2003 would not be affected)
Severity: Unintended remote exposure to services
Vendor status: Resolved in MS07-038
CVE Number: CVE-2007-3038
Reference: http://www.securityfocus.com/bid/24779


Overview:

Windows Firewall for Windows Vista is the Microsoft provided
firewall solution. It is installed and enabled out-of-the-box,
with most ports filtered.

Due to an implementation issue, the Windows Firewall does not
apply firewall rules correctly on the Teredo Interface. This
allows a level of remote access to TCP and UDP ports and services
that exceeds what Microsoft expected and what an administrator
would expect.

Details:

Teredo is an IPv4 to IPv6 transition mechanism for IPv6-capable
hosts that are located behind an IPv4 NAT. It is installed and
enabled out-of-the-box on Windows Vista. It provides end-to-end
automatic tunneling through a NAT by tunneling IPv6 over IPv4 UDP
packets. Once a Teredo interface becomes set up (in Teredo
terminology: qualified), anyone on the Internet that knows the
Teredo address can send it packets and possibly establish
sessions. This capability persists until the Teredo interface
becomes de-qualified for some reason; while in general Teredo
works to keep an Teredo interface qualified, under some
circumstances, Vista will shut down the interface after 60 minutes
of inactivity.

By design, Windows Firewall is supposed to block all access to
ports on the Teredo interface, except for cases where
access-though-Teredo is specifically requested (through the "Edge
Traversal" flag in the firewall rule being set). However, due to a
logic bug, it does not apply this restriction. Instead, any port
that is accessible on the local network is also accessible from
any host on the Internet over the Teredo interface, even if the
firewall rule specifies "remote address=local subnet".

The level of exposure depends on current firewall rule settings.
An out-of-the-box Vista installation with a network profile set
to "private" will expose the following port across the Teredo
interface:

* TCP port 5357 (Web Services for Devices)

An exposed service may reveal sensitive or useful information to
an attacker. In combination with a vulnerability in the service
it may also provide an avenue of attack. In addition, a service
that was designed to only be accessible in trusted circumstances
may simply not present an adequate security posture for general
Internet access.

It is not considered difficult for a remote user to cause the
Teredo interface to become qualified. Teredo can become qualified
simply because Vista or some application wants to use IPv6 for
whatever reason. The attacker would then just have to guess the
Teredo address or learn it by some means and they would be able to
access any open ports.

Teredo will also become qualified if the address of a peer
represents a Teredo address (perhaps even if the peer has a native
IPv6 Internet access). Thus an attacker can send a URL of this
form "http://[2001:0:...]/..." through e-mail, IM, HTTP, etc, and
if the URL is followed, the attacker will both know the Teredo
address of the victim and will have had the victim become
qualified. A HTTP redirect to such a URL would also work and may be
more stealthy. Reportedly, Vista will not return AAAA records
corresponding to Teredo addresses, so attackers Teredo address
would have to be listed by address and not by hostname.

Vendor Response:

This has been patched in MS07-038.

Recommendation:

Apply the patch contained in MS07-038.

In addition you should consider whether Teredo poses an acceptable
level of exposure to your network. If it provides too much
exposure (e.g., due to bypassing network-based security controls),
you should disable Teredo and block it on your network

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are
candidates for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems.


CVE-2007-3038

-------Symantec Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:
research@symantec.com

For details on Symantec's Vulnerability Reporting Policy:
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Symantec Vulnerability Research Advisory Archive:
http://www.symantec.com/research/

Symantec Vulnerability Research GPG Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc

-------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:
secure@symantec.com

For general information on Symantec's Product Vulnerability
reporting and response:

http://www.symantec.com/security/

Symantec Product Advisory Archive:
http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc

---------------------------------------------------------------

Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by
Symantec Consulting Services. Reprinting the whole or part of
this alert in any medium other than electronically requires
permission from cs_advisories@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services are
registered trademarks of Symantec Corp. and/or affiliated companies
in the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFGkqPyuk7IIFI45IARArOpAJ9oJRUZZpioiHRVq6cEKiu72kbWPACgpuui
2/d+CVOH+uoOpIIXShU98y0=
=AcHW
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close