Symantec Security Advisory SYMSA-2007-005[1]is now available. This covers a Teredo-related vulnerability in theVista version of Windows Firewall (BID 24779, CVE-2007-3038). (To beclear, this vulnerability is not connected to any of the nine Vistaissues I discussed in my last blog[2].)
Last fall, when Ollie Whitehouse[3] was analyzing whatTCP ports were open over a Teredo interface in a freshly installedWindows Vista RC2, he discovered that port 5357 was open over Teredo.We thought this odd since there is no functional reason this port,which corresponds to Web Services on Devices (WSD)[4], should beremotely accessible. When the release version of Vista becameavailable, we verified that this port was still open. (Details on thistesting are later in this blog.)
Cross referencing this with a study we had done of WindowsFirewall[5], we realized that according to the firewall rules, thisport should not be exposed. There was an active firewall rule ("NetworkDiscovery (WSD Events-In)") that covered TCP 5357, but it was supposedto be limited to cases where "remote address"="local subnet".Certainly, nothing that comes over the Teredo interface should beconsidered to be locally originated.
Teredo is supposed to present an empty attack surface, except forspecially configured firewall rules. The implementation, however, wasflawed. It seems that any port that is exposed to the local network isalso exposed over Teredo. We initially included this finding in the Windows Vista Network Attack Surface Analysis[6](the edition that covers the release version of Vista) but retracted itprior to publication once the issue was determined to be a firewalllogic flaw and not merely an exposed network service.
It is important to note that the degree of exposure depends on thecurrent Windows Firewall configuration. Out of the box and with thenetwork profile set to Private ("home" or "work"), there was just thisone TCP port open. If file sharing or other features are turned on, theexposure increases. Disabling Teredo (which I recommend, see [7] and[8]) mitigates this vulnerability.
In the spirit of responsible vulnerability disclosure (see [9]), wewithheld mention of this vulnerability from the paper. However, we candiscuss it now that Microsoft has released a patch[10]. You can consider this blog to be the missing part of this paper.
To find remotely accessible TCP ports over Teredo, we configured aLinux 2.6 host with an IPv6 Internet connection provided by BritishTelecom's IPv6 tunnel broker service. Using an RC2 build of Vista andNmap v4.20alpha6, a full TCP connect portscan was conducted:
Thus, most ports were filtered, but TCP port 5357 was open. We foundthat ICMP echo requests are ignored by default, which is consistentwith local network behavior. We retested port 5357's remoteaccessibility via a Teredo address using the release build of Vista.This time we used an IPv6 version of netcat; the results are shown here:
On a given Vista host, this port would, of course, only be open viaTeredo if Teredo were currently qualified (set up) on the host.However, given that Teredo is enabled by default in Vista, this may notbe an unusual state for a Vista host (see [2] and [6]). Furthermore, itmay not be difficult to induce this state.
Thus, there may be quite a bit of exposure here. If a remoteattacker knows or can guess a Vista Teredo host's address, he or shecan typically establish a connection to port 5357 (WSD) on the host(unless some network based control prevents it). The layers involved inthe connection to this port are IPv4, UDP, IPv6, TCP, and WSD. Thus ifa vulnerability exists in any of these, a remote attacker wouldtypically be able to try it. In addition, by scanning TCP port 5357, ofall possible Teredo addresses, one can find Vista hosts running WindowsFirewall. (This scan could be optimized for the most likely addressesto be used, see [11].)
I hope to see you at BlackHat August 1-2.
Further reading:
[1] SYMSA-2007-005
[2] Blog: Microsoft's Inaccurate Teredo Documentation, and Other Vista CVEs
[3] Ollie Whitehouse's section on this blog
[4] Microsoft: Web Services on Devices
[5] Blog: Windows Vista Network Attack Surface Analysis: An Update
[6] Report: Windows Vista Network Attack Surface Analysis
[7] Blog: The Teredo Protocol: Tunneling Past Network Security and Other Security Implications
[8] draft-hoagland-v6ops-teredosecconcerns-00 (work in progress)
[9] Symantec Vulnerability Research site (links to Symantec's Responsible Disclosure Policy)
[10] Microsoft bulletin MS07-038
[11] Report: The Teredo Protocol: Tunneling Past Network Security and Other Security Implications