-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Symantec Vulnerability Research http://www.symantec.com/research Security Advisory Advisory ID: SYMSA-2007-005 Advisory Title: Vista Windows Firewall Incorrectly Applies Filtering to Teredo Interface Author: Jim Hoagland / Ollie Whitehouse Release Date: 10-07-2007 Application: Windows Firewall (Vista version) Platform: Windows Vista (RTM and RC2 builds known affected; XP, 2003 would not be affected) Severity: Unintended remote exposure to services Vendor status: Resolved in MS07-038 CVE Number: CVE-2007-3038 Reference: http://www.securityfocus.com/bid/24779 Overview: Windows Firewall for Windows Vista is the Microsoft provided firewall solution. It is installed and enabled out-of-the-box, with most ports filtered. Due to an implementation issue, the Windows Firewall does not apply firewall rules correctly on the Teredo Interface. This allows a level of remote access to TCP and UDP ports and services that exceeds what Microsoft expected and what an administrator would expect. Details: Teredo is an IPv4 to IPv6 transition mechanism for IPv6-capable hosts that are located behind an IPv4 NAT. It is installed and enabled out-of-the-box on Windows Vista. It provides end-to-end automatic tunneling through a NAT by tunneling IPv6 over IPv4 UDP packets. Once a Teredo interface becomes set up (in Teredo terminology: qualified), anyone on the Internet that knows the Teredo address can send it packets and possibly establish sessions. This capability persists until the Teredo interface becomes de-qualified for some reason; while in general Teredo works to keep an Teredo interface qualified, under some circumstances, Vista will shut down the interface after 60 minutes of inactivity. By design, Windows Firewall is supposed to block all access to ports on the Teredo interface, except for cases where access-though-Teredo is specifically requested (through the "Edge Traversal" flag in the firewall rule being set). However, due to a logic bug, it does not apply this restriction. Instead, any port that is accessible on the local network is also accessible from any host on the Internet over the Teredo interface, even if the firewall rule specifies "remote address=local subnet". The level of exposure depends on current firewall rule settings. An out-of-the-box Vista installation with a network profile set to "private" will expose the following port across the Teredo interface: * TCP port 5357 (Web Services for Devices) An exposed service may reveal sensitive or useful information to an attacker. In combination with a vulnerability in the service it may also provide an avenue of attack. In addition, a service that was designed to only be accessible in trusted circumstances may simply not present an adequate security posture for general Internet access. It is not considered difficult for a remote user to cause the Teredo interface to become qualified. Teredo can become qualified simply because Vista or some application wants to use IPv6 for whatever reason. The attacker would then just have to guess the Teredo address or learn it by some means and they would be able to access any open ports. Teredo will also become qualified if the address of a peer represents a Teredo address (perhaps even if the peer has a native IPv6 Internet access). Thus an attacker can send a URL of this form "http://[2001:0:...]/..." through e-mail, IM, HTTP, etc, and if the URL is followed, the attacker will both know the Teredo address of the victim and will have had the victim become qualified. A HTTP redirect to such a URL would also work and may be more stealthy. Reportedly, Vista will not return AAAA records corresponding to Teredo addresses, so attackers Teredo address would have to be listed by address and not by hostname. Vendor Response: This has been patched in MS07-038. Recommendation: Apply the patch contained in MS07-038. In addition you should consider whether Teredo poses an acceptable level of exposure to your network. If it provides too much exposure (e.g., due to bypassing network-based security controls), you should disable Teredo and block it on your network Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2007-3038 -------Symantec Vulnerability Research Advisory Information------- For questions about this advisory, or to report an error: research@symantec.com For details on Symantec's Vulnerability Reporting Policy: http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf Symantec Vulnerability Research Advisory Archive: http://www.symantec.com/research/ Symantec Vulnerability Research GPG Key: http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc -------------Symantec Product Advisory Information------------- To Report a Security Vulnerability in a Symantec Product: secure@symantec.com For general information on Symantec's Product Vulnerability reporting and response: http://www.symantec.com/security/ Symantec Product Advisory Archive: http://www.symantec.com/avcenter/security/SymantecAdvisories.html Symantec Product Advisory PGP Key: http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc --------------------------------------------------------------- Copyright (c) 2007 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Consulting Services. Reprinting the whole or part of this alert in any medium other than electronically requires permission from cs_advisories@symantec.com. Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, and Symantec Consulting Services are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFGkqPyuk7IIFI45IARArOpAJ9oJRUZZpioiHRVq6cEKiu72kbWPACgpuui 2/d+CVOH+uoOpIIXShU98y0= =AcHW -----END PGP SIGNATURE-----