pfSense Gold Subscription

Author Topic: passing nessus scan: System Responds to SYN+FIN  (Read 2721 times)

0 Members and 1 Guest are viewing this topic.

Offline mikerockynet

  • Newbie
  • *
  • Posts: 3
    • View Profile
passing nessus scan: System Responds to SYN+FIN
« on: March 12, 2009, 02:08:44 pm »
I have a 1.2-RELEASE pfsense that is failing a PCI compliance (nessus++) scan with these details:

Quote
*System Responds to SYN+FIN*
This device responded to a TCP packet with both the SYN and FIN
bits set. Such packets, which do not occur in normal network traffic,
have been used by attackers to bypass the security rules configured in
various firewalls.
Bugtraq: 7487
CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N (Base Score:5.00)

*Recommendations:*
If there is a firewall or ACL handling these packets, check to be sure
that the device is updated with current code. Also, check with your
vendor to verify that there are no rule-bypass concerns with this
device

Also they included a link:
http://www.securityfocus.com/bid/7487

My customer appealed with some verbiage I sent them about the usefulness of 'pf scrub', but the appeal was rejected:

Quote
According to PCI DSS Requirements; "Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.)". At this time the SYN+FIN packet can reach all of the Services listed in the Appeal generating a response, and is not dropped by the Firewall.

So I've disabled scrubbing which was the first step to filtering SYN/FIN packets, but I do not see any simple way in the filtering rules on the WAN to specify which TCP flag sequences to pass or drop. I know that I can track down and edit the raw pf config files to add what I need, but am concerned the GUI will overwrite any customizations I make to the file. Anyone else dealt with this issue? How did you resolve it?

Thanks
Mike

Offline mikerockynet

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: passing nessus scan: System Responds to SYN+FIN
« Reply #1 on: March 13, 2009, 03:45:32 pm »
So I found /tmp/rules.debug and added this line after the carp anchor, and it seemed to do the trick:

Quote
block in quick on vr0 inet proto tcp from any to any flags SF/SF

But as feared, that line disappeared once I did anything in the web interface.

If our client doesn't pass the PCI compliance scan, we'll lose them. It looks like I'm going to have to replace pfsense with a stock openbsd firewall - not a big deal for me personally, but since my techs are all trained on the web gui it means one more thing that I am the only person capable of managing :(

What is really sad here is that not only is this scan not making them the slightest bit more secure, and not only is this supposed "vulnerability" not a vulnerability at all, but we're actually being forced to relax the security on their system (by disabling scrub) to correct a misinterpretation of the PCI compliance rules and misinterpretation of the test results. I guess that's what we get for letting lawyers and politicians write technical standards :(

P.S. Tried upgrading to 1.2.2 in the hopes that I'd be able to create rules with flags in them. I'm kind of surprised this feature is missing, especially since the raw rules.debug file does have flags in some of them!

Quote
#  grep flag rules.debug
block in quick on $wan proto tcp flags SF/SF
pass in quick on vr0 inet proto tcp from port 20 to (vr0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
#

« Last Edit: March 13, 2009, 04:54:23 pm by mikerockynet »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14932
    • View Profile
Re: passing nessus scan: System Responds to SYN+FIN
« Reply #2 on: March 14, 2009, 11:10:22 am »
Did you read the link they gave? That is a vulnerability on Caldera OpenLinux which has nothing to do with FreeBSD, on which pfSense is based. Completely different worlds, and completely different network stacks. Not to mention that was a specific flaw in a specific version of Caldera, by SCO, and no others.

It should be enough to tell them that you are not running the vulnerable platform, and that it is a false positive.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline mikerockynet

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: passing nessus scan: System Responds to SYN+FIN
« Reply #3 on: March 18, 2009, 02:16:04 pm »
Did you read the link they gave? That is a vulnerability on Caldera OpenLinux which has nothing to do with FreeBSD, on which pfSense is based. Completely different worlds, and completely different network stacks. Not to mention that was a specific flaw in a specific version of Caldera, by SCO, and no others.

It should be enough to tell them that you are not running the vulnerable platform, and that it is a false positive.


I explained that in detail and they rejected my response. It's definitely a false positive. Their exact verbiage says that 'only "established" connections are allowed into the network.'

I'd like to know just how connections are ever supposed to become established if you don't allow SYN packets through? I don't think this company even understands what a three-way handshake actually is.

I hope pfsense 2.0 will allow us to filter on tcp flags. I can imagine other uses for this too.