PSIRT

FireStorm vulnerability

Description

Researchers discovered that certain next generation firewalls are designed to permit full TCP handshake with any destination, regardless of firewall rules and client restrictions.
They derive from this that they can exfiltrate data to a blacklisted IP (their example is a Botnet C&C Server), by packing data in TCP handshake packets.

Affected Products

None. IP address filtering features of Fortinet products are not affected:

Webfiltering: Not Applicable. Indeed Webfiltering is meant to block Web/HTTP access only. Not any other protocol, much less SYN packets.
Firewall policies: Not vulnerable.
Botnet Servers filtering: Not vulnerable.

Solutions

Enabling Botnet Servers filtering is done differently in FOS 5.4 and FOS 5.2:

In 5.4, set "Scan Outgoing Connections to Botnet Sites" to "Block" in Network->Interfaces->Edit Interface
In 5.2 , set "Detect Connections to Botnet C&C Servers" to "Block" in Security Profiles -> AntiVirus.

References

http://www.cynet.com/blog/

IR Number	FG-IR-15-024
Date	Dec 15, 2015
Severity	Low
Impact	Firewall rules bypass
CVRF	Download

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

PSIRT

FireStorm vulnerability

Description

Affected Products

Solutions

References

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

PSIRT

FireStorm vulnerability

Description

Affected Products

Solutions

References

Threat Intelligence
Center