2

I'm having a bit of a problem getting my head round what this vulnerability means, can someone help me understand this?

I'm particularly puzzled by the RESULTS section. Why would source port 25 be any different from a random source port, they're both originating from the outside world?

Vulnerability:
TCP Source Port Pass Firewall

THREAT:
Your firewall policy seems to let TCP packets with a specific source port pass through.

IMPACT:
Some types of requests can pass through the firewall. The port number listed in the results section of this vulnerability report is the source port that unauthorized users can use to bypass your firewall.

SOLUTION:
Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be configured to block all TCP SYN packets going to this port, regardless of the source port.

COMPLIANCE:
Not Applicable

RESULTS:
The host responded 4 times to 4 TCP SYN probes sent to destination port 22 using source port 25. However, it did not respond at all to 4 TCP SYN probes sent to the same destination port using a random source port.

Kev
  • 7,877
  • 18
  • 81
  • 108

2 Answers2

4

when a client connect to a server, the client pickup a free tcp port it has between 1024 and 65535. On Linux/Unix, non root user can't pick up a port < 1024. Then it connect to a well known port, like 80 for http...

The report claims that it can reach destination port if the source port is specific (22 and 25 in your sample), but it can't if it use a random port (between 1024 and 65535 for example). Client normally use random port and so your rule shouldn't take into account the source port number

So one of your rule is bad, because it allows flows if the source port is specific, whereas it should only filter on the destination port, which is the only static part between the two.

I guess you miss created one of your rule by inadvertly exchanging source and destination value

Mathieu Chateau
  • 3,185
  • 16
  • 10
0

I had this show up on a vulnerability scan as well but for UDP port 53. In my case I think the reason this showed up is we create our firewall policy rules to allow a specific src IP address over any port to connect to dest IP and dest port. In front of our firewall we have our internet router which we run an ACL on. We allow ports like 80, 443, 21, 22, etc.. to any since our firewall handles the rules for these ports for our DMZ servers and you can't filter by IP if you allow everyone to your website. So the ACL blocks the high number requests but allows the ports like 80, 443, 22, etc since the ACL allows those in. The firewall then resets the packet so the scanner sees that as a closed port.

Billy
  • 1