| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 08 Jun 2004 23:43:55 -0400 From: Dev Null <devnull@....net> To: <bugtraq@...urityfocus.com> Subject: Potential Security Flaw in Symantec Gateway Security 360R I think we have discovered a possible security flaw in the wireless security routines for the SGS 360R. While configuring Secure WLAN settings in the 360R we have discovered that the "Enforce VPN Tunnels/Disallow IPSec pass thru" and "Enforce VPN Tunnels/Allow IPSec pass thru" setting in both 2.1 build 300 and build 415 firmware do not appear to actually prohibit non-VPNed wireless connections from reaching the internal LAN. According the documentation when using either of the "Enforce VPN Tunnel" modes, only DNS, DHCP, and ARP traffic are allowed to reach (we believe this also include ICMP, but its not documented) the internal network without being encrypted by the VPN. We have been able to send a wide variety of TCP/IP traffic (including ODBC and HTTP) to the internal LAN over a connection that is suppose to allow only traffic traveling inside a VPN. We have confirmed this internally using a single SGS 360R with the Symantec Wireless Access Point card and two Win2K laptops with WPC45G Linksys WiFi cards. This occurs whether or not WEP is being used. Has anyone experienced this problem? Can anyone reproduce it? We have reported the problem to Symantec and they are investigating. thanks, DN
Powered by blists - more mailing lists