Rapid7 Vulnerability & Exploit Database

Firewall TCP Established Rule Bypass

Back to Search

Firewall TCP Established Rule Bypass

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
11/01/2004
Created
07/25/2018
Added
11/01/2004
Modified
06/11/2019

Description

Due to ambiguities in TCP/IP implementations, it is sometimes possible to bypass firewall rules intended to keep state on outbound connections. If multiple conflicting flags are set on the initial SYN packet sent in the TCP/IP handshake, some operating systems allow the SYN packet to pass even if they are configured to block incoming connections.

Using rules that check for established state often allow packets through if they have certain flags set, including FIN, RST or ACK. These rules do not check that the SYN flag is set. If the target operating system negotiates the TCP handshake, even though additional flags are set, then the firewall rule is effectively bypassed. Here are some examples of operating systems and the flags for which they will negotiate the TCP handshake:

  • Ascend/Lucent: SYN, SYN+FIN
  • Cisco IOS: SYN, SYN+FIN
  • Cisco PIX: SYN, SYN+FIN
  • FreeBSD: SYN, SYN+FIN
  • IBM AS/400: SYN
  • Linux 2.2.x: SYN, SYN+FIN
  • Linux 2.4.x: SYN, SYN+FIN, SYN+RST
  • Netware: SYN, SYN+FIN
  • SCO UnixWare: SYN, SYN+FIN
  • Solaris: SYN, SYN+FIN
  • Windows NT4: SYN, SYN+FIN
  • Windows 2000: SYN, SYN+FIN
  • Windows XP: SYN, SYN+FIN
  • Windows .NET: SYN, SYN+FIN

Solution(s)

  • generic-firewall-tcp-established-bypass

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;