PSIRT Advisory

FireStorm vulnerability

Description

Researchers discovered that certain next generation firewalls are designed to permit full TCP handshake with any destination, regardless of firewall rules and client restrictions.
They derive from this that they can exfiltrate data to a blacklisted IP (their example is a Botnet C&C Server), by packing data in TCP handshake packets.

Impact

Firewall rules bypass

Affected Products

None. IP address filtering features of Fortinet products are not affected:

  • Webfiltering: Not Applicable. Indeed Webfiltering is meant to block Web/HTTP access only. Not any other protocol, much less SYN packets.
  • Firewall policies: Not vulnerable.
  • Botnet Servers filtering: Not vulnerable.

Solutions

Enabling Botnet Servers filtering is done differently in FOS 5.4 and FOS 5.2:

  • In 5.4, set "Scan Outgoing Connections to Botnet Sites" to "Block" in Network->Interfaces->Edit Interface
  • In 5.2 , set "Detect Connections to Botnet C&C Servers" to "Block" in Security Profiles -> AntiVirus.