-- Corsaire Limited Security Advisory -- Title: Symantec Enterprise Firewall (SEF) SMTP proxy inconsistencies Date: 18.01.02 Application: Symantec Enterprise Firewall (SEF) 6.5.x Environment: WinNT, Win2000 Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution Reference: c020118-001 -- Scope -- The aim of this document is to clearly define some issues related to a some SMTP proxy inconsistencies within the Symantec Enterprise Firewall (SEF) environment as provided by Symantec [1]. -- History -- Vendor notified: 18.01.02 Document released: 21.02.02 -- Overview -- The SEF firewall product uses an application proxy strategy to provide enhanced security features for a variety of common protocols. For the SMTP proxy, part of this additional functionality allows the firewall to restrict the sender / recipient domains and to hide internal infrastructure information from external recipients. However, when the firewall is configured to provide network address translation (NAT) to an SMTP connection (effectively hiding the internal server behind a publicly routable address), this might not always be conducted as desired. -- Analysis -- The SMTP proxy works by analysing the SMTP format and optionally rewriting some of the headers to achieve the desired aim. When an inbound or outbound SMTP connection is NATed to an address other than the one assigned to the physical firewall interface, then the SMTP proxy still uses the physical interface name and address within the SMTP protocol exchange. This has two potential issues: The first issue is that there is now a potential information leak; additional information is contained within the SMTP protocol exchange that could aid an attacker in analysing the firewall configuration. The second issue is that any receiving / sending host that is configured to enforce strict checks on the SMTP protocol exchange, might not accept the connection due to the inconsistencies in the fields. -- Proof of concept -- To reproduce this issue, place an SMTP host on an internal interface of the SEF firewall. Create a rule that allows inbound and outbound traffic to this host, then create an address translation and redirection entry that maps SMTP connections to and from an external address other than the physical interface address. smtp address (internal) 1.1.1.1 (twist.dance.org) firewall address (external physical) 2.2.2.2 (waltz.dance.org) firewall address (external SMTP NAT) 2.2.2.254 (foxtrot.dance.org) firewall name tango firewall domain dance.org redirect 2.2.2.254 -> 1.1.1.1 (for SMTP only) NAT 1.1.1.1 -> any (use 2.2.2.254) NAT any -> 1.1.1.1 (use client address) rule 1.1.1.1 -> any (for SMTP only) rule any -> 1.1.1.1 (for SMTP only) For inbound connections to 2.2.2.254: -> 220 tango.dance.org Generic SMTP handler For outbound connections from 2.2.2.254: <- 220 ... -> HELO waltz.dance.org <- 250 ... talking to foxtrot.dance.org ([2.2.2.254]) -- Recommendations -- The SMTP proxy behaviour should be revised to resolve the information within the protocol exchange to the correct host / address combination. -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2002-0309 to this issue (http://cve.mitre.org). -- References -- [1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID =47&PID=9674250&EID=0 -- Revision -- a. Initial release. b. Revised to include CVE reference. -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. Copyright 2002 Corsaire Limited. All rights reserved.