August 2015

  1. Utm Web Protection
  2. Sophos Utm Web Protection Connection Refused
  3. Utm Sw Web Protection
  4. Utm Web Protection Bypass
  5. Sophos Utm Web Protection Categories
  6. Sophos Utm Web Protection Configuration

Unified threat management (UTM) refers to when multiple security features or services are combined into a single device within your network. Using UTM, your network’s users are protected with several different features, including antivirus, content filtering, email and web filtering, anti-spam, and more.

Please note that republishing this article in full or in part is only allowedunder the conditions described here.

Intro

  1. Demo of the web protection deployment options, policy settings, filter actions wizard, policy test tool, and convenient built-in web reports. Sophos UTM // Web Protection on Vimeo Product.
  2. About Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features Press Copyright Contact us Creators.
  3. Overview The Sophos UTM's Web Proxy can transparently filter HTTPS traffic. When this is activated, and set to Decrypt & Scan, secure sites will be prompted with a security warning in the client browser unless the UTM Proxy CA certificate is installed on the client browser.
  4. Sophos UTM drives threat prevention to unmatched levels. The artificial intelligence built into Sophos Sandstorm is a deep learning neural network, an advanced form of machine learning, that detects both known and unknown malware without relying on signatures.

This article describes several ways of employing uncommon or invalid HTTPresponses to transport malware from server to client without being detected bySophos UTM Web Protection.All of these bypasses got reported to Sophos and most of them are fixed by now.

What is Sophos UTM Web Protection

Sophos UTM is a firewall with deep inspection capabilities, i.e. not a simplepacket filter. Formerly called IPS or Secure Gateway these class of firewallsare now mostly advertised as Unified Threat Managment (UTM) or Next GenerationFirewall (NGFW).

According totheirproduct page Sophos sees its UTM and Next-Gen Firewall as 'The UltimateSecurity Package' and sees itself as an 'Industry leader' because of reports ofGartner and 'Sophos SG Series was named Best UTM Solution at the SC Awards2015.'.

Utm

Web traffic is handled by Sophos UTM at the application layer by aproxy which allows deeper inspection and also modification of the content.

From theproduct description of Sophos UTM Web Protection:

We block the latest web threats using advanced techniques like JavaScript emulation andLive Protection cloud lookups to detect malicious web code before it reaches the browser. Italso prevents infected systems from calling home with sensitive data. Our engine inspectsall HTTP, HTTPS and FTP traffic, including active content like Active X, Flash, cookies,VBScript, Java and JavaScript.

Utm Web Protection

Unfortunately, in order to inspect the web code their engine must get reliableaccess to the content first. And while the trivial bypass bysimply using the deflate compresssionwas fixed in 12/2014 a closer look revealed more bypass vectors.

Bypass Using Double Compression

Sophos Utm Web Protection Connection Refused

The first bypass was possible by using multiple compressions at the same time.This is the same attack I've alreadypublished in 07/2013 where I reportedbypasses for several IDS and virustotal.com. And while Sophos UTM could not bebypassed if the first encoding was gzip, it could be bypassed when the firstencoding was deflate like in

Utm Sw Web Protection

The issue was reported to Sophos on 2015/05/03 and was fixed with version 9.314-13
on 2015/07/31. Affected are all browsers which support multiplecompressions, that is all modern browsers except Internet Explorer. Fromtheannouncement:

Unfortunately this short description does not tell the impact of the problem,i.e. the full bypass of protection. Nor does Sophos acknowledge that this bugreport came from an external researcher (me).

Bypass Using Weird Content-Length

The Content-length is used to give the size of the content. By using a weirdvalue for the Content-length together with line-folding another bypass was possible.To bypass the firewall with theEICAR test virus (68 byte) thefollowing response could be used:

Different variations of this bypass were possible.

The issue was reported to Sophos on 2015/05/13 and was fixed with version 9.314-13on 2015/07/31. All modern browsers are affected. I did not find anyissue in the change log pointing to this exact problem, but from thecommunicaton with Sophos I know that there was some code cleanup which probablyfixed this issue too.

Utm web protection bypass

Bypass Using Invalid Headers

Utm

Browsers are way too tolerant when parsing HTTP. It looks like that in case ofspecifically broken responses Sophos UTM does not inspect the content butinstead simply passes the broken response to the client. Such broken responseheaders might contain plain invalid header lines, fields which are notASCII-only or simple HTTP/0.9 responses which do not contain any headers.Example:

Or simply giving the HTTP version in lower case worked too:

All modern browsers are affected by this issue.It was reported to Sophos on 2015/06/25 and was partly fixed with version 9.314-13on 2015/07/31. But, this fix needs to be explicitly enabled byactivating the option 'Block unscannable and encrypted files' because Sophosseems to fear that customers run into compatibility issues with broken websites. They are probably right in that customers will notice if a web site getsbroken by the firewall but will not notice if a malicious website simplybypasses the firewall. Too bad a firewall should protect against the latter one:(

Web

Utm Web Protection Bypass

There is no specific issue in the change log about the bug and it's impact andthat it is not fixed in the default settings. Also, the issue is only partlyfixed since some bypasses still work (for more information try my test tooldescribed below).

Acknowledgments and Further Reads

Even though Sophos did not publically acknowdledge me for the bug reports and eventhough they did not manage to fix everything I still like to thank them fortheir courage to offer a version of their UTM for home use and that they are open for bug reports from outside.

And while these kind of bypasses can be trivially executed by an attacker oneshould be aware that firewalls from other vendors are not necessarily better inprotecting the client. I'm currently investigating reports that some highlypraised Next Generation Firewalls by other vendors can be bypassed with similartechniques.

Sophos Utm Web Protection Categories

Thus if you are behind a firewall and are not yet fully lulled into theadvertisements of your vendor you might want to check out by yourself howresistent your firewall is against these kind of attacks. This check might beas simple as pointing you browser to my test siteand run the 'Bulk test firewall evasion with EICAR test virus' there. This testtries to download the harmlessEICAR test virus which shouldbe detected by every virus scanner. But even though no harm will be done to yourcomputer by running these tests some firewall vendors still consider this test sitemalicious, maybe because it shows that their own products can be bypassed. Inthis case you might set up your own server by using thepublically available code.

Sophos Utm Web Protection Configuration

Information about other kinds of bypasses at the application level can be foundat my page about employing the semantic gap forbypasses.