[14413] in bugtraq
Re: Esafe Protect Gateway (CVP) does not scan virus under some
daemon@ATHENA.MIT.EDU (Alon Rotem)
Fri Mar 24 17:10:43 2000
Message-Id: <20000324105811.23118.qmail@securityfocus.com>
Date: Fri, 24 Mar 2000 10:58:11 -0000
Reply-To: Alon Rotem <alonr@EALADDIN.COM>
From: Alon Rotem <alonr@EALADDIN.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10003210916360.16029-100000@bastion.hugo.vanderkooij.org>
Hi,
Referring the message quoted below, initiated by Mr. Hugo
van der Kooij , I would like to bring up a few points
opposing the analysis of our product, eSafe Protect Gateway
for CVP firewalls version 2.1 (also known as eSafe Gateway).
eSafe Gateway, integrated with Checkpoint's "Firewall-1",
offers a high level of reliable security and privacy, and
an easy to use powerful configuration interface. eSafe
Gateway's excellent security policy is obtained by a
combination of a powerful virus and vandal scanning engine
for files and applets, high level content security, and
additional personal privacy key features. eSafe Gateway's
anti-virus file security is based upon a policy by which
files can either be considered "Dangerous" or "Safe". This
is determined by the files extensions.
This should not be a surprise to Mr. Van der Kooij, that
eSafe's security policy does not have to depend on files
extensions. A network administrator, worried lest malicious
files should enter his network due to a scenario described
hereinafter, has an option to scan files regardless of
their extensions. Such a solution would usually be
redundant, and cost in network performance, which is often
considered valuable. The procedure by which such a
configuration is set up is described by Mr. Van der Kooij
himself.
The trade off between performance and protection
sufficiency is a well known issue in the world of data
security. As suggested by Mr. Van der Kooij, it is possible
to make files go through eSafe Gateway without being
scanned for viruses, thus creating security holes. eSafe
believes that relying on file extension in order to avoid
threats and virus assaults is highly efficient. This is
definitely not due to a "flawed design". We, at eSafe,
believe that it is possible to achieve a high level of
security and privacy, while relying on the files
extensions. In order to gain good security, and, at the
same time, good network performance, it is possible (and
recommended) to avoid scanning of files that are predefined
as "Safe" (or files that are not defined as "Dangerous").
It would often be redundant to scan each and every file
which goes through the system.
It is agreed that files renaming is a common action that
can be easily performed by anyone who can use an
alphanumeric keyboard, but If a hacker sends an infected
executable file masqueraded with a "TXT" or an "MPG"
extension, it is the user's job to get the file, save it to
his local disk, rename it to a valid executable, and then
run it. Such a user can also bring an infected floppy disk
from home and spread a virus in the company's internal
network, or format his own hard disk manually. The damage
and the user's involvement in damaging the system would be
more or less equivalent.
Another aspect of HTTP file protection taken by eSafe is
the file's header which contains extra information about
the file type (Mime type). It is indeed possible make an
HTTP server transfer any file with a false mime type field.
Note that HTTP clients (web browsers) treat files by their
mime type. Files that are transferred by a mime
of "text/html" would be opened in the browser window, and
not considered as an executable that should be saved to
disk. In order to pass an infection in such a case, the
user should once again get highly involved: Open the
browser window, initiate a "Save As..." procedure manually
to the local disk and run the file. Also, note that
transferring files in a "text/html" mime type would usually
result in a conversion of the file to ASCII format, and
will be displayed in the browser window with no control
characters. Therefore, even saving and running the file
would fail.
In conclusion, Mr. Van der Kooij has insinuated that
according to eSafe there is "No fix available". The subject
described above is not a bug, nor a security problem.
Hence, no fix is needed. eSafe Gateway provides excellent
security and safe network environments.
Sincerely,
Alon Rotem
Software Engineer
Phone: [+972 4] 8811441
e-mail: alonr@eAladdin.com
Listen to my music at:
http://www.audiogalaxy.com/bands/alonrotem
Aladdin. Securing The Global Village
Ashlag 22, Haifa, Israel
Tel: +972 4 872-8899 Fax: +972 4 872-9966
Visit us at our Web site! http://www.esafe.com
Aladdin supports Idealist. Visit http://www.idealist.org
Hi,
After notification of the manufacturer here is the full
report on a
problem noted with Esafe Protect Gateway.
SUMMARY
-------
The Esafe Protect Gateway (ESPG) does not scan some files
in combination
with FireWall-1 and CVP.
DETAILS
-------
If you want the Esafe Protect Gateway to scan all content
for the presence
of a virus you have two options.
1. Choose to scan anything not listed in the 'safe file
types' list. And
then clear out all entries in that list.
2. Choose to scan only files listed in the 'dangerous file
types' list.
And then have only one extension listed namely '*'.
Deciding to rely on extensions seems an indication of a
flawed design
allready. Renaming files is a common practice and can be
done by anyone
capable of operating a keyboard.
The problem is that anything with the MIME type set to
TEXT/HTML will not
be scanned regardless of the options recommended above.
A simple test was capable of pointing this out.
Setup a default Apache server. Copy a virusfile to two
location being
http://website/test1.txt and http://website/test1.html and
try to download
them with your favorite browser. The URL is unique and was
never used by
your browser to minimize the possibilities of caches being
in place. But
forced reloads work properly and are sufficiant if you want
to replicate
this issue.
Downloading http://website/test1.html dows nothing to
detect the virus and
it is yours. No protection is offered. Downloading
http://website/test1.txt will not work as ESPG will now
intercept the file
contain the virus.
By adjusting the webserver to send out *.txt as MIME type
TEXT/HTML and
*.html as MIME type TEXT/PLAIN you can now test with
http://website/test2.txt and http://website/test2.html to
verify things.
Downloading http://website/test2.txt will get you infected
as ESPG will
not scan the file. And downloading
http://website/test2.html will not work
as ESPG detects the virus and will prevent it from
downloading.
CONCLUSION
----------
Esafe Protect Gateway can at present not be trusted to
protect you from
downloading a virus.
VERSIONS
--------
Esafe Protect Gateway v2.1 build 98.
Virus tables dated March 15, 2000.
STATUS
------
Manufacturer notified.
No fix available.
Results have not been confirmed yet.
However I was able to verify that the problem lies
with Esafe and
not with Check Point by using Trend Micro's CVP
server instead
which did not suffer from the same problem.
Hugo.
