Windows Vista, the operating system’s built in firewall and the Teredo protocol are the right receipt to allow an attacker to peep into the affected host. The vulnerability was initially discovered by security company Symantec, and reported to Microsoft privately. At the core of the security flaw is the incorrect management of the filtering associated with the Teredo interface from the Windows Firewall in Windows Vista. Microsoft has confirmed the existence of the vulnerability, and as of July 10, 2007, it patched the security hole labeled with
a severity rating of moderate, via the Security Bulletin MS07-038. Although the flaw is synonymous with a
risk of information disclosure, Windows Vista users should apply the available patch immediately.
“Due to an implementation issue, the Windows Firewall does not apply firewall rules correctly on the Teredo Interface. This allows a level of remote access to TCP and UDP ports and services that exceeds what Microsoft expected and what an administrator would expect. By design, Windows Firewall is supposed to block all access to ports on the Teredo interface, except for cases where access-though-Teredo is specifically requested (through the “Edge Traversal” flag in the firewall rule being set). However, due to a logic bug, it does not apply this restriction. Instead, any port that is accessible on the local network is also accessible from any host on the Internet over the Teredo interface, even if the firewall rule specifies “remote address=local subnet”,” revealed Jim Hoagland and Ollie Whitehouse, security experts with Symantec.
Essentially, the vulnerability allows an attacker to bypass firewall rules, by directing unsolicited network traffic through the Teredo interface and access in this manner the network interface and information related to the impacted host. “If a remote attacker knows or can guess a Vista Teredo host’s address, he or she can typically establish a connection to port 5357 (WSD) on the host (unless some network based control prevents it). The layers involved in the connection to this port are IPv4, UDP, IPv6, TCP, and WSD. Thus if a vulnerability exists in any of these, a remote attacker would typically be able to try it. In addition, by scanning TCP port 5357, of all possible Teredo addresses, one can find Vista hosts running Windows Firewall,” Hoagland added.
Microsoft, Windows Vista, Vista Firewall, Firewall, Symantec, Terodo