SSTIC-2024 / Bypassing firewall filtering rules using DHCP
| Advisory ID | CVE Number | Date discovered | Severity | Advisory revision |
|---|---|---|---|---|
| STORM-2024-021 | 03/01/2024 | low | v1 |
Vulnerability details
During SSTIC 2024, a presentation demonstrated an attack on firewalls exploiting DHCP, suggesting that SNS might be vulnerable.
Impacted products
| Products | Severity | Detail |
|---|---|---|
| Stormshield Network Security | low | Not Impacted |
Revisions
| Version | Date | Description |
|---|---|---|
| v1 | 05/06/2024 | Initial release |
Stormshield Network Security |
CVSS v3.1 Overall Score: 0
|
Analysis |
Impacted version |
|
Context: Rogue DHCP Attack is type of attack aims to perform address spoofing, where the attacker exploits a standard routing behavior that prioritizes routing to the smallest network. SNS Behavior: Through its IPS mechanism and address spoofing detection, SNS offers an adequate countermeasure to detect and block this type of attack. These mechanisms are enabled by default and are detailed here: Stormshield Documentation. Attack Execution: As indicated in the SSTIC 2024 presentation, On SNS it is imperative to disable the IPS and anti-spoofing protections of SNS, which are enabled by default, to carry out this attack. However, in the default configuration, SNS, with its anti-spoofing protections, will detect the use of an IP that does not belong to this interface and will block the packet by raising an IP spoofing alarm (Type 2), resulting in the disconnection of the connection and preventing the attacker from reaching the server. Conclusion: SNS is not vulnerable in standard usage scenarios. |
No version is impacted |
Workaround solution |
Solution |
|
N/A |
Use the recommended configuration available here Stormshield Documentation. |
| Attack Vector | Attack Complexity | Privileges Required | User Interaction | Scope | Confidentiality Impact | Integrity Impact | Availability impact |
|---|---|---|---|---|---|---|---|
| Adjacent Network | Low | None | None | Changed | None | None | None |
| CVSS Base score: 0 | CVSS Vector: (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N) |
| Exploit Code Maturity | Remediation Level | Report Confidence |
|---|---|---|
| Proof of concept code | Official fix | Reasonable |
| CVSS Temporal score: 0 | CVSS Vector: (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N/E:P/RL:O/RC:R) |
| Confidentiality Requirement | Integrity Requirement | Availability Requirement |
|---|---|---|
| Low | Low | Low |
| CVSS Environmental score: 0 | CVSS Vector: (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N/E:P/RL:O/RC:R/CR:L/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X) |
Acknowledgements
Thanks to Olivier Bal-Pétré for this report