The recently added BugSec blog¹ on Security News Analyzed page at #30 is the source.
Apparently there are several NGFW (Next generation FireWalls) systems that allow the initial handshake to occur no matter the destination, including to destinations we would want to deny. It is good to point out, that an actual connection is not made, as the firewall stops the connection.
Just by itself this problem would not have been an exploit, but the CTO Idan Cohen, was then able to develop a tool to create full tunneling with just this initial handshake.
BugSec has disclosed this flaw to all the vendors that are affected by it.
The manufacturers said: “once their state machine proceeded beyond the TCP handshake, they would recognize the application, matching a subsequent rule that applied to application traffic.” And if as in this case it was ‘unknown-TCP’ it would be blocked only with an additional security policy lookup as to allow or block the traffic.
So essentially by default some NGFW are allowing ‘unknown-TCP’ traffic.
Obviously this can be rather dangerous.