14 DAY TRIAL // Security researchers have uncovered a way to beat enterprise-grade firewalls and siphon data out of corporate networks via TCP handshakes.
The vulnerability, codenamed FireStorm, was discovered in a joint investigation by BugSec Group and Cynet. According to the researchers, the vulnerability resides in how enterprise firewalls treat TCP connections.
TCP SYN packets used to siphon data out of corporate networks
Whenever a TCP (Internet) connection starts, before any content is exchanged between the client and the server, the two set up a common communications channel by exchanging a few TCP SYN (synchronize) packets. This process is called a TCP handshake and is mandatory for all connections.
Firewalls allow this process to take place, so they can know what kind of connection is about to start. If the connection type, source or target is blacklisted inside its configuration panel, the firewall will block it.
In an experiment they've carried out, BugSec Group and Cynet security researchers managed to send sensitive data from a firewall-protected network to an outside server using only TCP SYN packets, without ever establishing a full TCP connection that the firewall was configured to block.
FireStorm would be a valuable addition to today's malware families
The researchers even created a special tool that allows full data tunneling over TCP handshakes. This tool will not be released, because it would be a valuable addition to developers of RATs (Remote Access Trojans) and botnet operators, allowing them to exfiltrate data from secure networks without detection.
The vulnerability is present in the products of most firewall vendors. Researchers contacted most firewall vendors affected by the issue, but most of them declined to consider FireStorm a security vulnerability, saying that was how their products were designed to work at a technical level.
Researchers are proposing that firewall vendors should at least block repeated TCP SYN packet exchanges between two network participants.
"We believe that this is a dangerous vulnerability and that monitor ability should be added to provide blocking capabilities on repeated suspicious requests and to provide the ability to block a direct connection between an internal host and an unauthenticated foreign host," a joint BugSec Group and Cynet advisory reads.
