Vulnerability

    Gauntlet

Affected

    Gauntlet 5.0 BSDI with latest Gauntlet patches

Description

    Keith Young found following.  Local trusted and remote non-trusted
    users  with  routes  through  firewall  may  bypass  all  Gauntlet
    security rules.  No activity will appear in the  /var/log/messages
    log file.   Internal network scheme  is exposed.   This issue will
    appear if you do the following in sequence:

        1) Install BSDI 3.1
        2) Install Gauntlet 5.0
        3) Install BSDI patch M310-049
        4) Install Gauntlet 5.0 kernel patch level 2

    Other notes:

        A) Behavior occurs if connection is through any adaptive proxy
           (http-pdk), "old" proxy (http-gw)  or no proxy at  all (any
           TCP connection).
        B) Packets  will  not  be  NATed  by  firewall, so to be  100%
           successful, a  route will  need to  be published  to get to
           your internal network through your firewall.
        C) As mentioned, nothing is ever logged in /var/log/messages
        D) Adding NATs to Gauntlet does not change the packets.

    How to reproduce?  Network configuration:

        [client]====[firewall]====[WWW/FTP-server]
        (internal)        (external)
        Client/Server: either Win98 or RedHat Linux 6.0, P2-350, 128MB RAM
        Firewall: P2-350, 256MB RAM, 10GB hard drive, any BSDI-compatible NIC

    All network connections done via 10baseT crossover cables, however
    users can be across  hubs or routers.   Listed here are the  exact
    steps needed to reproduce this problem.

        1) Install  BSDI  3.1,  March  1998.  Use  automatic  install,
           however you may install minimal packages if you wish.
        2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall
        3) Install Gauntlet 5.0.
        4) Reboot after installation.
        5) Login as root.
        6) Enter  "Fast  GUI  Setup".  Fill  in appropriate  Interface
           settings  for   external  and   internal  interfaces.    If
           necessary, configure  ESPM hosts,  DNS settings,  and admin
           users.
        7) Quit gauntlet-admin, save changes, and rebuild.
        8) After proxies have reconfigured, reboot machine.
        9) Since  M310-049  is  required  for  Gauntlet  kernel  patch
           install,   and   M310-046   is   required   for    M310-049
           installation, download both from

              ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/

           File info:
            M310-046    1194 Kb    Wed Oct 14 00:00:00 1998
            M310-049    116 Kb     Wed Dec 16 00:00:00 1998

           Both patches  are considered  "OK" by  the Gauntlet support
           site:  http://www.tis.com/support/bsd31.html

       10) Bring machine to single-user mode by executing "kill  -term
           1".
       11) Execute "perl5 M310-046 apply" to install BSDI libc patch.
       12) Execute "perl5 M310-049 apply" to install IP DoS fix.
       13) Execute "cd /sys/compile/GAUNTLET-V50/".
       14) Build new kernel as required by M310-049 IP DoS kernel fix.
              # make clean
              # make depend
              # make
       15) After kernel is rebuilt, reboot machine.
       16) Download Gauntlet 5.0 kernel and cluster patch:
           File info:
            cluster.BSDI.patch  12623 Kb    Wed Sep 01 19:33:00 1999
            kernel.BSDI.patch   414 Kb      Wed Aug 04 17:54:00 1999
       17) As noted in patch install directions, execute the following
              # sh ./cluster.BSDI.patch
              # sh ./kernel.BSDI.patch
              # cd kernel.BSDI.patch
              # sh ./apply
              # cd ../cluster.BSDI.patch
              # sh ./apply
       18) After patches are installed, reboot machine.
       19) Install ESPM-GUI  on client machine.  Start ESPM-GUI.   Add
           client machine to trusted network group. Apply changes.
       20) Start web browser on client machine. Set web proxy  setting
           to internal  interface of  firewall. Attempt  to connect to
           external web server. Access is allowed. *This is correct.*
       20) Remove  http-gw  from  trusted  network  services.    Apply
           changes.  Attempt to connect to external web server. Access
           is denied. *This is correct.*

           ==Problem starts here==

       21) Remove proxy setting in web browser on client machine.  Set
           gateway/default  route  on   client  machine  to   internal
           interface of firewall. Set gateway/default route on  server
           machine to external interface of firewall.
       22) Clear web browser cache. Attempt to connect to external web
           server.  Web page is downloaded with no logs in Gauntlet.
       23) Start ESPM-GUI. Remove  all services from trusted  networks
           services.  Remove client  machine from ESPM network  group.
           Apply changes.
       24) FTP from client machine  to server. FTP connection is  made
           though no rule exists.
       25) Start telnet server on client machine.  Telnet from  server
           to client.  Telnet connection is made.

Solution

    Other Gauntlet 5.0  patched systems are  not affected.   Unpatched
    Gauntlet 5.0 BSDI is not affected.  Workaround:

        A) Install M310-049 *before* installing Gauntlet 5.0.
        B) A vendor patch/fix/suggestion is coming.
        C) Workaround: NEITHER MYSELF,  V-ONE, NOR NAI IS  RESPONSIBLE
           FOR  THE  CORRECT/INCORRECT  USE  OF  THIS  (DOING THIS MAY
           ADVERSELY AFFECT YOUR SYSTEM AND MAY VOID TECH SUPPORT).
           (as root)
           1) # cp /usr/local/sys.gauntlet/i386/OBJ/ip_input.o /usr/src/sys/i386/OBJ
           2) # sh /usr/local/sys.gauntlet/build_kernel/build_kernel 50.1
           3) # reboot

    NAI released a fix.  You can download it from:

        http://www.tis.com/support/patch50.html

    This has  been addressed  in the  kernel.BSDI.patch, patchlevel  3
    that BSDi released yesterday for Gauntlet 5.0.