UDP State Manipulation: Description of a Packet Filtering Vulnerability in Stateful Firewalls

Firewalls are essential components for security enforcement in a network, as they are the first layer of protection from unwanted traffic and cyber-attacks. While the requirements for efficiency led to the design of ever more complex systems, evolving from stateless to stateful firewalls, this complexity induced new vulnerabilities. In this paper, we discuss a new vulnerability present in Packet Filtering that we called Vulnerability on Firewall States (Von-FS). It is due to three factors: 1) once a state is up, traffic going through it is not checked anymore, 2) a state timeout is refreshed when a packet matches it, and 3) pushing a blocking/dropping rule in the firewall does not automatically delete obsolete states. This vulnerability can be used by legacy attacks to be more stealthy and more difficult to stop when detected. Our study shows that many commercial and open-source firewalls are subject to this vulnerability. We propose a mitigation solution that consists of deleting all obsolete states whenever a dropping rule is pushed. We evaluated this idea by patching a well-known open-source firewall, FreeBSD. Experiments show that the impact on firewall performance is very low.