Back on April 12, 2011, a report from independent security testing organization NSS Labs, warned of a vulnerability affecting industry-leading firewalls, including a sneak attack that could go unnoticed by most organizations. The dangerous vulnerability came in the form of a TCP Split Handshake Attack, an attack essentially being the TCP Equivalent of IP Spoofing. The issue permits an external attacker to trick the firewall into allowing access inside the firewall as a trusted client.
This TCP split handshake attack has been publicly known for over a year, and all firewalls should defend against it, but at the time, it wasn’t the case. In fact, 5 of the 6 firewalls that NSS labs tested FAILED to detect and block the TCP Split Handshake Attack.
Today, however, NSS Labs reported that as of May 6, four out of five vendors have provided NSS Labs with fixes for the TCP Split Handshake issue, which NSS Labs has been able to test and validate in its lab. Firewalls tested for April’s report included Check Point Power-1 11065, Cisco ASA 5585, Fortinet Fortigate 3950, Juniper SRX 5800, Palo Alto Networks PA-4020, and Sonicwall E8500. The only firewall tested that passed the TCP split handshake attack (using the default settings that the vendor ships to customers) back in the original report was the Check Point Power-1 11065. Affected vendors were notified of the issue in early February. Since the April report:
• Fortinet delivered a patch to its firewall.
• Juniper changed the default setting to enable protection against the attack
• Palo Alto Networks delivered a patch to its firewall.
• SonicWALL delivered a patch to its firewall.
• Cisco has not issued a patch, but recommends a workaround using access control lists (ACLs), which provides protection in some but not all cases.
NSS Labs warns that enabling this protection may have a negative impact on performance and/or break applications that are not using TCP properly. NSS Labs recommends enterprises test the configuration prior to deployment in order to ascertain the impact.
Cisco originally denied the fact that its ASA 5585 firewall was vulnerable to the attack. “Based on the investigation of this issue to date, the data indicates that Cisco customers are not exposed to this issue,” wrote Russ Smoak, Director, Security Intelligence Operations for Cisco wrote in a blog post on April 14th. “Fast-forward to April, and we’re still unable to reproduce the TCP split handshake issue,” Smoak added. But rather then firing back publicly, sources close to the situation told SecurityWeek that NSS Labs demonstrated the evasion on the ASA 5585 device again, and that Cisco has acknowledged the issue. Sources also told SecurityWeek that Cisco engineers went to the NSS Labs facility for an on-site demonstration of the attack.
Related Resource: Understanding Web Application Security – Defending the Enterprise’s New Porous Perimeter
Palo Alto Networks reacted quickly after the public report was issued, making a fix available in about a week. (The company did have the data available and was already working on a patch previous to the April 12 public release of the report). Additionally, one week after the original report, NSS Labs awarded Palo Alto Networks a “Recommended” rating for passing all tests, including the TCP split-handshake spoof test. This retest was conducted using the latest build of PAN-OS (4.0.2). Palo Alto Networks also jointly hosted a webcast with NSS Labs shortly after, suggesting that some marketing dollars were put into the fact that its products passed the test, and that the company was hoping to capture the attention of potential customers concerned with the vulnerabilities.
“NSS Labs commends the vendors who have taken steps to deliver protection for their customers,” said Vik Phatak, CTO, NSS Labs. “End-user organizations need rigorous independent testing to help them identify and remediate gaps in their network and systems security.”