Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 2302 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SYN FIN packets allowed on and through fw

BarryG
Hi, our PCI vendor, Trustwave, flagged us on the following, both for the 8.102 firewall itself (on the webadmin port), and for servers behind our 7.509 firewall. I'm guessing both versions are allowing it, but the scan missed it due to portscan detection or something.


System Responds to SYN+FIN TCP Packets
This device responded to a TCP packet with both the SYN and FIN
bits set. Such packets do not occur in typical network traffic, but can
be used by attackers to bypass the security rules configured in nonstateful
firewalls and establish connections with protected hosts.
CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:N(0.00)
Reference: US-CERT Vulnerability Note VU#464113 - TCP/IP implementations handle unusual flag combinations inconsistently
Service: apache:http_server (astaro 8.102)
Service: https (ubuntu server behind 7.509)


Thanks,
Barry


This thread was automatically locked due to age.
Parents
  • 0
    Hi Barry, 8.102 is quite old of a version. You are missing hundreds of fixes and improvements against 8.304. You should Up2Date and see if the problem persists, and from that point we could address any failures as bug reports.

    Further, the explanation states "against non-stateful firewalls" however we are in fact stateful.
Reply
  • 0
    Hi Barry, 8.102 is quite old of a version. You are missing hundreds of fixes and improvements against 8.304. You should Up2Date and see if the problem persists, and from that point we could address any failures as bug reports.

    Further, the explanation states "against non-stateful firewalls" however we are in fact stateful.
Children
No Data