[an error occurred while processing this directive]Links | Books[an error occurred while processing this directive]

By Kevin Poulsen
May 22, 2000 7:48 AM PT


A firewall package protecting thousands of networks worldwide contains
a bug that would allow attackers to obtain "root" access remotely,
potentially compromising the very networks the program was installed
to protect, SecurityFocus News has learned.

The vulnerability is in the Unix distribution of Network Associates
Inc.'s (NAI) Gauntlet firewall suite, billed by the company as the
"World's Most Secure Firewall." Jim Stickley, a San Diego-based
computer security consultant with Garrison Technologies, discovered
the bug while performing a security audit for a corporate client in
Seattle, and reported it to NAI late Friday night. A team of a dozen
company engineers scrambled to produce a fix over the weekend, which
the company was preparing to distribute to customers Monday morning.

The hole is the result of two flaws in Network Associate's integration
of Mattel's Cyber Patrol filtering software into their feature-packed
firewall product. In integrating Cyber Patrol, NAI programmers created
a custom server that checks web address against the Cyber Patrol
database, then approves or disapproves each connection going out
through the firewall depending on whether it's permitted by a
particular company's policy.

That server contains a buffer overflow bug, and, further, mistakenly
accepts connections from the outside world, Network Associates V.P. of
Engineering Tom Ashoff confirmed Sunday.

The bug affects Gauntlet for Unix versions 4.1, 4.2, 5.0 and 5.5, and
the company's Web Shield line of products, but only if Cyber Patrol is
running. The filtering program comes installed with Gauntlet and is on
by default for 30 days. "After thirty days, if you don't register
Cyber Patrol, it stops working and you're no longer vulnerable," said

The vulnerability means intruders can use a Gauntlet firewall as a
point of entry into a corporate network, a potentially embarrassing
development for security giant Network Associates.. "Once you've got
root access on their firewall, you can scan their whole network," said

Network Associates Vice President of Marketing Jim Ishikawa says the
company has prepared a patch for the vulnerability, which it's making
available to customers. The company issued an advisory Monday morning.

"I think as with every kind of security product, it's an ongoing
iterate process, continuously improving the product," said Ishikawa.
"I think the key is rapid response, and I think we demonstrated that
this weekend."

[an error occurred while processing this directive][an error occurred while processing this directive]