TCP Handshake Opens Firewalls to Attacks

Tuesday, December 15, 2015 @ 02:12 PM gHale

There is a vulnerability that could allow an attacker to get through enterprise firewalls and then pull information out of corporate networks through TCP handshakes.

FireStorm is a vulnerability found via an investigation by BugSec Group and Cynet and it all falls together in how enterprise firewalls treat TCP connections, researchers said.

AV Add-on Captures Malware
New Path for Secure Communications
Automating Big Data Analysis
Creating More Efficient Embedded Systems

Whenever a TCP (Internet) connection starts, before any content ends up exchanged between the client and the server, the two set up a common communications channel by exchanging a few TCP SYN (synchronize) packets. This process is a TCP handshake and is mandatory for all connections.

Firewalls allow this process to take place, so they can know what kind of connection is about to start. If the connection type, source or target ends up blacklisted inside its configuration panel, the firewall will block it.

In an experiment, the researchers sent sensitive data from a firewall-protected network to an outside server using only TCP SYN packets, without ever establishing a full TCP connection that had a firewall configured to block.

The researchers even created a special tool that allows full data tunneling over TCP handshakes. This tool will not end up released because it would be a valuable addition to developers of RATs (Remote Access Trojans) and botnet operators, allowing them to exfiltrate data from secure networks without detection.

The vulnerability is present in the products of most firewall vendors. Researchers contacted most firewall vendors affected by the issue, but most of them declined to consider FireStorm a security vulnerability.

Researchers said firewall vendors should at least block repeated TCP SYN packet exchanges between two network participants.

“We believe that this is a dangerous vulnerability and that monitor ability should be added to provide blocking capabilities on repeated suspicious requests and to provide the ability to block a direct connection between an internal host and an unauthenticated foreign host,” said a joint BugSec Group and Cynet advisory.