SSTIC-2024 / Bypassing firewall filtering rules using DHCP

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2024-021 03/01/2024 low v1

Vulnerability details

During SSTIC 2024, a presentation demonstrated an attack on firewalls exploiting DHCP, suggesting that SNS might be vulnerable.

Impacted products

ProductsSeverityDetail
Stormshield Network Security low Not Impacted

Revisions

Version Date Description
v1 05/06/2024 Initial release


Stormshield Network Security

CVSS v3.1 Overall Score: 0      

Analysis

Impacted version

Context:

Rogue DHCP Attack is type of attack aims to perform address spoofing, where the attacker exploits a standard routing behavior that prioritizes routing to the smallest network.

SNS Behavior:

Through its IPS mechanism and address spoofing detection, SNS offers an adequate countermeasure to detect and block this type of attack. These mechanisms are enabled by default and are detailed here: Stormshield Documentation.

Attack Execution:

As indicated in the SSTIC 2024 presentation, On SNS it is imperative to disable the IPS and anti-spoofing protections of SNS, which are enabled by default, to carry out this attack.

However, in the default configuration, SNS, with its anti-spoofing protections, will detect the use of an IP that does not belong to this interface and will block the packet by raising an IP spoofing alarm (Type 2), resulting in the disconnection of the connection and preventing the attacker from reaching the server.

Conclusion:

SNS is not vulnerable in standard usage scenarios.

No version is impacted

Workaround solution

Solution

N/A

Use the recommended configuration available here Stormshield Documentation.



Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Adjacent Network Low None None Changed None None None
CVSS Base score: 0 CVSS Vector: (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N)
Exploit Code Maturity Remediation Level Report Confidence
Proof of concept code Official fix Reasonable
CVSS Temporal score: 0 CVSS Vector: (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N/E:P/RL:O/RC:R)
Confidentiality Requirement Integrity Requirement Availability Requirement
Low Low Low
CVSS Environmental score: 0 CVSS Vector: (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N/E:P/RL:O/RC:R/CR:L/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)


Acknowledgements

Thanks to Olivier Bal-Pétré for this report