SecurityWeek – Network Firewall Vendors Address TCP Split Handshake Vulnerability
Back on April 12, 2011, a report from independent security testing organization NSS Labs, warned of a vulnerability affecting industry-leading firewalls, including a sneak attack that could go unnoticed by most organizations. The dangerous vulnerability came in the form of a TCP Split Handshake Attack, an attack essentially being the TCP Equivalent of IP Spoofing. The issue permits an external attacker to trick the firewall into allowing access inside the firewall as a trusted client.
This TCP split handshake attack has been publicly known for over a year, and all firewalls should defend against it, but at the time, it wasnâ€™t the case. In fact, 5 of the 6 firewalls that NSS labs tested FAILED to detect and block the TCP Split Handshake Attack.
Today, however, NSS Labs reported that as of May 6, four out of five vendors have provided NSS Labs with fixes for the TCP Split Handshake issue, which NSS Labs has been able to test and validate in its lab. Firewalls tested for Aprilâ€™s report included Check Point Power-1 11065, Cisco ASA 5585, Fortinet Fortigate 3950, Juniper SRX 5800, Palo Alto Networks PA-4020, and Sonicwall E8500. The only firewall tested that passed the TCP split handshake attack (using the default settings that the vendor ships to customers) back in the original report was the Check Point Power-1 11065. Affected vendors were notified of the issue in early February. Since the April report:
â€¢ Fortinet delivered a patch to its firewall.
â€¢ Juniper changed the default setting to enable protection against the attack
â€¢ Palo Alto Networks delivered a patch to its firewall.
â€¢ SonicWALL delivered a patch to its firewall.
â€¢ Cisco has not issued a patch, but recommends a workaround using access control lists (ACLs), which provides protection in some but not all cases.
NSS Labs warns that enabling this protection may have a negative impact on performance and/or break applications that are not using TCP properly. NSS Labs recommends enterprises test the configuration prior to deployment in order to ascertain the impact.
Cisco originally denied the fact that its ASA 5585 firewall was vulnerable to the attack. â€œBased on the investigation of this issue to date, the data indicates that Cisco customers are not exposed to this issue,â€ wrote Russ Smoak, Director, Security Intelligence Operations for Cisco wrote in a blog post on April 14th. â€œFast-forward to April, and weâ€™re still unable to reproduce the TCP split handshake issue,â€ Smoak added. But rather then firing back publicly, sources close to the situation told SecurityWeek that NSS Labs demonstrated the evasion on the ASA 5585 device again, and that Cisco has acknowledged the issue. Sources also told SecurityWeek that Cisco engineers went to the NSS Labs facility for an on-site demonstration of the attack.
Read more: SecuirityWeek