BITS blocked by Gateway Anti-Virus with no dropped packets

03/26/2020 1 6377

DESCRIPTION:

When you try to download a file by using the Background Intelligent Transfer Service (BITS): "Content file download failed". The same has been seen when trying to update Adobe Acrobat from MACOS using the built-in updater.

As a troubleshooting test, disabling HTTP Inbound Inspection on SonicWall Gateway Anti-Virus will fix this but no related signatures blocking this traffic can be found and running a packet monitor will show all packets forwarded (no drops).

CAUSE:

The Accept-Range header is used by the server to inform the client if ranges are supported. Ranges are used by clients to request a partial file (i.e. from bytes 30 to 500).

When you copy a file by using BITS in background mode, the file is copied in multiple small parts. To perform this kind of copy operation, BITS uses the HTTP 1.1 Content-Range header. If you are behind a proxy server or behind a firewall that removes this header, the file copy operation is unsuccessful.

NOTE:  When BITS copies files in foreground mode, BITS does not use this header.

However, exploits can be used when servers accept ranges – if an attacker request bytes from 0 to a very large number (larger than 64-bit for example), they can cause a buffer/integer overflow.

NOTE: This should not happen if servers are up-to-date  to the latest IIS but if the customer runs a old/outdated server, the attack may pass through.

SonicWall is well known to remove this header as we consider it non-secure however if an application uses HTTP ranges this option must be enabled.

RESOLUTION:

To fix this, please follow these steps:

1. Login to your firewall.
2. Edit the URL https://IP_Firewall/main.html by replacing main.html with diag.html
3. Click Internal Settings
4. Enable the option "Keep HTTP header Accept-Range bytes"

This way the SonicWall will not remove the header but this may expose your servers if they're not up-to-date.