Researchers discovered a critical vulnerability in next generation firewalls that allows remote attackers to bypass firewall limitations and extract data from an organization to command and control servers. The vulnerability, dubbed FireStorm, was discovered by Stas Volfus, head of offensive security a team at Bugsec Group, while working BugSec threat detection unit Cynet.
Volfus told SCMagazine.com that the web-browsing application of next generation firewalls opens firewall clients’ internal servers to access from any IP in the world.
The firewalls are designed to permit the 3-way handshake process known as a TCP (transmission control protocol) handshake, regardless of the packet destination.
The team contacted “one of the largest vendors of next generation firewalls” to inform the company of the vulnerability, Cynet CEO Eyal Gruner told SCMagazine.com, and was told, “It is not a flaw. It is by design.”
Cynet did not disclose the specific next generation firewalls that were found to be vulnerable, but Volfus said they tested two different next-generation firewalls that accounted for at least 30 percent of the market, and both were found to contain the same vulnerability. “We can assume that other next-generation firewalls are also affected,” he told SCMagazine.com.
“They understand that it is a security risk,” Volfus said, but said the firewall vendor is not aware of a way to address the problem without losing functionality, such as the web browsing application.
Gruner said the research team discovered the vulnerability while conducting research for clients.