TCP Source Port Pass Firewall vulnerability
search cancel

TCP Source Port Pass Firewall vulnerability

book

Article ID: 262621

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

The following two vulnerabilities were reported in Security Analytics from a vulnerability scan. 

TCP Source Port Pass Firewall
TCP Sequence Number Approximation Based Denial of Service

Environment

Release : 8.2.5-55424

Resolution

TCP Source Port Pass Firewall

The port described in this finding is port 20, i.e the ftp data channel. On an FTP connection, the FTP server, from port 20, will connect back to a random port on the client. This is a necessary part of an Active FTP connection and removing it may cause some unseen problems for customers. If you do not need FTP services (such as FTP Mover) then you should delete those rules from your firewall to block port 20. 
 
The recommendation to disable port 20 on the firewall is in the "Security Best Practices" document. Qualys only reports this issue when the scan is run on an appliance with a default configuration setup. When the scan is run with "Best Practices" configuration this issue is not reported.  Qualys only reports this issue when the scan is run on an appliance with a default configuration setup. When the scan is run with "Best Practices" configuration this issue is not reported.


TCP Sequence Number Approximation Based Denial of Service

This has gone unfixed in Linux because it is viewed as not a problem. Red Hat's explanation is found at https://access.redhat.com/security/cve/cve-2004-0230

The proposed IETF solution does not seem like a bullet-proof solution either. The bad actor could sniff the reset ack and use the correct sequence number. The Red Hat explanation points to the url http://lwn.net/Articles/81560/ which gives further discussion of this issue.  Red Hat does not have any plans for action regarding this issue.


Based on these explanations, there are no efforts to mitigate these risks in the current SA code.