Possible security vulnerability in the pre-defined web browser rule

The pre-defined web browser rule set appears to let unauthorised traffic enter the Internet via the ‘Allow Outgoing FTP-PASV Requests’ individual rule. Whereas a functionally equivalent rule, blocks the same traffic.


The bug/issue

  1. What you did:

Attempted to investigate a scenario where unauthorised data is allowed to pass through a pre-defined rule, which should actively block said data.

  1. What actually happened or you actually saw:

IRC clients (only HydraIRC and Opera tested) were able to connect to an IRC server on TCP port 6667, facilitated by the ‘Allow Outgoing FTP-PASV Requests’ element of the pre-defined web browser rule, which is restricted to allowing TCP out on privileged ports only [0 to 1023]

  1. What you expected to happen or see:

I would have expected the pre-defined rule to block this flow of data.

  1. How you tried to fix it & what happened:

There is not a great deal I can do to ‘fix’ what is possibly a security issue, however, I performed some tests to try and ascertain if the observed behaviour is a feature of the application or a potentially serious problem.

Please see this thread for more details: Firewall not working properly

Essentially:

  1. Apply the pre-defined web browser rule set to an IRC client and allow logging on individual rules

  2. Attempt to connect to an IRC server using any of the default IRC TCP ports (6667/6668/6669 etc.)

  3. Observer the connection being allowed and confirm by consulting CIS firewall log entries

  4. Ascertain that the ‘Allow Outgoing FTP-PASV Requests’ is the element allowing the connection by gradually removing the other rules one-by-one.

  5. Remove the default pre-defined web browser rule and manually create a functional equivalent. re-test

  6. Data is not allowed through the rule.

  7. If its an application compatibility problem have you tried the application fixes here?:

N/A

  1. Details & exact version of any application (execpt CIS) involved with download link:

5.4.189822.1355 - COMODO Internet Security 5.4.189822.1355 Released!

  1. Whether you can make the problem happen again, and if so exact steps to make it happen:

The process is reproducible always

  1. Any other information (eg your guess regarding the cause, with reasons):

Logically, there appears to be a problem with the default pre-defined web browser rule set, as it’s allowing traffic that it is supposed to block and is blocked by a manually created analogue.

Files appended. (Please zip unless screenshots).

Please see the thread mentioned above for further details.

Your set-up

  1. CIS version, AV database version & configuration used:

For the test:
CIS - 5.4.189822.1355 x86
AV - Not installed
D+ Not Installed during installation (permanently disabled is more accurate)
Firewall set to Custom policy Mode
Alert Level set to Very High
Ipv6 filtering unchecked
Create rules for safe applications unchecked
TVL database removed
All default firewall rules removed (limited rules for system and svchost created after reboot)
Configuration - Firewall Security (this is a firewall issue)

  1. a) Have you updated (without uninstall) from CIS 3 or 4:
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:

This is a fresh installation on a test PC, which also had a clean installation of Windows 7 Ultimate x86.

  1. a) Have you imported a config from a previous version of CIS:
    b) if so, have U tried a standard config (without losing settings - if not please do)?:

Nothing imported.

  1. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):

See above.

  1. Defense+, Sandbox, Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV =

See above.

  1. OS version, service pack, number of bits, UAC setting, & account type:

Windows 7 Ultimate x86 - SP1 - UAC enabled with default settings. Two account types tested, an Administrative account and a standard user account.

  1. Other security and utility software installed:

No additional applications installed, just a default installation of Windows 7 and CIS. The Windows firewall was disabled by CIS.

  1. Virtual machine used (Please do NOT use Virtual box):

Not used.

Moved to Verified

Here’s another occurrence of the pre-defined browser rule allowing a connection that it shouldn’t firewall settings for public hotspot use It appears that a connection to a port (TCP 2060) is being allowed when the FTP-PASV rule is active and blocked when it’s disabled. Unless there’s something I’m missing, this should not be allowed.

Just an update. This problem persists in 5.5.195786.1382

This can be closed. It was just me being a twonk!

Moved to the orphaned list due to user request.