<<< Date Index >>>     <<< Thread Index >>>

SYMSA-2007-005: Vista Windows Firewall Incorrectly Applies Filtering to Teredo Interface



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     Symantec Vulnerability Research
                     http://www.symantec.com/research
                           Security Advisory

   Advisory ID: SYMSA-2007-005
Advisory Title: Vista Windows Firewall Incorrectly Applies
                Filtering to Teredo Interface
        Author: Jim Hoagland / Ollie Whitehouse
  Release Date: 10-07-2007
   Application: Windows Firewall (Vista version)
      Platform: Windows Vista (RTM and RC2 builds known affected;
                XP, 2003 would not be affected)
      Severity: Unintended remote exposure to services
 Vendor status: Resolved in MS07-038
    CVE Number: CVE-2007-3038
     Reference: http://www.securityfocus.com/bid/24779


Overview:

  Windows Firewall for Windows Vista is the Microsoft provided
  firewall solution.  It is installed and enabled out-of-the-box,
  with most ports filtered.

  Due to an implementation issue, the Windows Firewall does not
  apply firewall rules correctly on the Teredo Interface.  This
  allows a level of remote access to TCP and UDP ports and services
  that exceeds what Microsoft expected and what an administrator
  would expect.

Details:

  Teredo is an IPv4 to IPv6 transition mechanism for IPv6-capable
  hosts that are located behind an IPv4 NAT.  It is installed and
  enabled out-of-the-box on Windows Vista.  It provides end-to-end
  automatic tunneling through a NAT by tunneling IPv6 over IPv4 UDP
  packets.  Once a Teredo interface becomes set up (in Teredo
  terminology: qualified), anyone on the Internet that knows the
  Teredo address can send it packets and possibly establish
  sessions.  This capability persists until the Teredo interface
  becomes de-qualified for some reason; while in general Teredo
  works to keep an Teredo interface qualified, under some
  circumstances, Vista will shut down the interface after 60 minutes
  of inactivity.

  By design, Windows Firewall is supposed to block all access to
  ports on the Teredo interface, except for cases where
  access-though-Teredo is specifically requested (through the "Edge
  Traversal" flag in the firewall rule being set). However, due to a
  logic bug, it does not apply this restriction. Instead, any port
  that is accessible on the local network is also accessible from
  any host on the Internet over the Teredo interface, even if the
  firewall rule specifies "remote address=local subnet".

  The level of exposure depends on current firewall rule settings.
  An out-of-the-box Vista installation with a network profile set
  to "private" will expose the following port across the Teredo
  interface:

  * TCP port 5357 (Web Services for Devices)

  An exposed service may reveal sensitive or useful information to
  an attacker. In combination with a vulnerability in the service
  it may also provide an avenue of attack.  In addition, a service
  that was designed to only be accessible in trusted circumstances
  may simply not present an adequate security posture for general
  Internet access.

  It is not considered difficult for a remote user to cause the
  Teredo interface to become qualified.  Teredo can become qualified
  simply because Vista or some application wants to use IPv6 for
  whatever reason.  The attacker would then just have to guess the
  Teredo address or learn it by some means and they would be able to
  access any open ports.

  Teredo will also become qualified if the address of a peer
  represents a Teredo address (perhaps even if the peer has a native
  IPv6 Internet access).  Thus an attacker can send a URL of this
  form "http://[2001:0:...]/..."; through e-mail, IM, HTTP, etc, and
  if the URL is followed, the attacker will both know the Teredo
  address of the victim and will have had the victim become
  qualified. A HTTP redirect to such a URL would also work and may be
  more stealthy. Reportedly, Vista will not return AAAA records
  corresponding to Teredo addresses, so attackers Teredo address
  would have to be listed by address and not by hostname.

  Vendor Response:

        This has been patched in MS07-038.

  Recommendation:

  Apply the patch contained in MS07-038.

  In addition you should consider whether Teredo poses an acceptable
  level of exposure to your network.  If it provides too much
  exposure (e.g., due to bypassing network-based security controls),
  you should disable Teredo and block it on your network

  Common Vulnerabilities and Exposures (CVE) Information:

  The Common Vulnerabilities and Exposures (CVE) project has
  assigned the following names to these issues.  These are
  candidates for inclusion in the CVE list (http://cve.mitre.org),
  which standardizes names for security problems.


  CVE-2007-3038

  -------Symantec Vulnerability Research Advisory Information-------

  For questions about this advisory, or to report an error:
  research@xxxxxxxxxxxx

  For details on Symantec's Vulnerability Reporting Policy:
  http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

  Symantec Vulnerability Research Advisory Archive:
  http://www.symantec.com/research/

  Symantec Vulnerability Research GPG Key:
  http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc

  -------------Symantec Product Advisory Information-------------

  To Report a Security Vulnerability in a Symantec Product:
  secure@xxxxxxxxxxxx

  For general information on Symantec's Product Vulnerability
  reporting and response:

  http://www.symantec.com/security/

  Symantec Product Advisory Archive:
  http://www.symantec.com/avcenter/security/SymantecAdvisories.html

  Symantec Product Advisory PGP Key:
  http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc

  ---------------------------------------------------------------

  Copyright (c) 2007 by Symantec Corp.
  Permission to redistribute this alert electronically is granted
  as long as it is not edited in any way unless authorized by
  Symantec Consulting Services. Reprinting the whole or part of
  this alert in any medium other than electronically requires
  permission from cs_advisories@xxxxxxxxxxxxx

  Disclaimer
  The information in the advisory is believed to be accurate at the
  time of publishing based on currently available information. Use
  of the information constitutes acceptance for use in an AS IS
  condition. There are no warranties with regard to this information.
  Neither the author nor the publisher accepts any liability for any
  direct, indirect, or consequential loss or damage arising from use
  of, or reliance on, this information.

  Symantec, Symantec products, and Symantec Consulting Services are
  registered trademarks of Symantec Corp. and/or affiliated companies
  in the United States and other countries. All other registered and
  unregistered trademarks represented in this document are the sole
  property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFGkqPyuk7IIFI45IARArOpAJ9oJRUZZpioiHRVq6cEKiu72kbWPACgpuui
2/d+CVOH+uoOpIIXShU98y0=
=AcHW
-----END PGP SIGNATURE-----