Security Advisory: CVE-2021-41530 TCP Reflected Amplification vulnerability

Summary

This advisory describes the TCP Reflected Amplification vulnerability (CVE-2021-41530) and its potential effect on Forcepoint products.

Information

Published Date: September 27, 2021

Last Update: n/a
KBA Status: Published
KBA Severity: High
CVE Number(s):
CVE-2021-41530

KBA Summary
The Forcepoint Product Security Team (PST) is investigating the following security vulnerability and its impact on Forcepoint products. This article will be updated after assessments and fixes are completed, if applicable.

The TCP SYN packet with application payload can be used to trigger a middle-box (NGFW) application response, possibly to a spoofed IP address. This enables a reflected amplification attack. The amplification rate depends on the configuration, but can be estimated to be at least 100 times the original rate. 

Forcepoint products are affected as follows:

NGFW Engine versions 6.5.11 and earlier, 6.8.6 and earlier, and 6.10.0 are all vulnerable, if HTTP User Response has been configured.

When the NGFW Engine is configured to block one or more URLs with User Response, the engine will not allow HTTP connections to those URLs, but will send a static HTML page back to the client instead. A vulnerable version of NGFW Engine will send this HTML response even without completing a full TCP initial handshake, if the URL request payload is included in the initial TCP SYN packet. Alternatively, the attacker may send a TCP SYN packet, immediately followed by a PSH+ACK packet containing the HTTP request. This alternative may cause the firewall to behave as thought it had missed the server's SYN+ACK packet.

As the HTML response is typically significantly larger than the client request (at minimum), the vulnerable NGFW Engine amplifies the client request flood to a possibly spoofed IP address.

NGFW's automated anti-spoofing feature limits the attack scope. In order for this attack to be effective against attacks coming from an untrusted network (Internet), the firewall would need to be configured to have HTTP user responses for requests coming from the Internet. This is not a typical use case, though, and may therefore be a rarely-seen configuration.
 

Vulnerable

• Forcepoint Next Generation Firewall (NGFW) Engine, versions 6.5.11 and earlier, 6.8.6 and earlier, and 6.10.

Resolution

Workarounds

There are no workarounds at this time.

Hotfix and information about other fixes
This vulnerability is resolved in NGFW Engine versions 6.5.12, 6.8.7, 6.10.1, and later. Customers are strongly encouraged to upgrade.