[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] CERT Advisory CA-2001-17
If "Accept FIrewall-1 Control Connections" is "off" on a limited user count FW1, is this still an issue? -Robert At 07:34 PM 7/9/01 -0500, Oscar Aviles wrote: > > > > Look that friends.... > > > > > >-----BEGIN PGP SIGNED MESSAGE----- > >CERT Advisory CA-2001-17 Check Point RDP Bypass Vulnerability > > Original release date: July 09, 2001 > Last revised: -- > Source: CERT/CC > > A complete revision history is at the end of this file. > >Systems Affected > > * Check Point VPN-1 and FireWall-1 Version 4.1 > >Overview > > A vulnerability in Check Point FireWall-1 and VPN-1 may allow an > intruder to pass traffic through the firewall on port 259/UDP. > >I. Description > > Inside Security GmbH has discovered a vulnerability in Check Point > FireWall-1 and VPN-1 that allows an intruder to bypass the firewall. > The default FireWall-1 management rules allow arbitrary RDP (Reliable > Data Protocol) connections to traverse the firewall. RFC-908 and > RFC-1151 describe the Reliable Data Protocol (RDP). Quoting from > RFC-908: > > The Reliable Data Protocol (RDP) is designed to provide a reliable > data transport service for packet-based applications such as remote > loading and debugging. > > RDP was designed to have much of the same functionality as TCP, but it > has some advantages over TCP in certain situations. FireWall-1 and > VPN-1 include support for RDP, but they do not provide adequate > security controls. Quoting from the advisory provided by Inside > Security GmbH: > > By adding a faked RDP header to normal UDP traffic any content can > be passed to port 259 on any remote host on either side of the > firewall. > > For more information, see the Inside Security GmbH security advisory, > available at > > http://www.inside-security.de/advisories/fw1_rdp.html > > Although the CERT/CC has not seen any incident activity related to > this vulnerability, we do recommend that all affected sites upgrade > their Check Point software as soon as possible. > >II. Impact > > An intruder can pass UDP traffic with arbitrary content through the > firewall on port 259 in violation of implied security policies. > > If an intruder can gain control of a host inside the firewall, he may > be able to use this vulnerability to tunnel arbitrary traffic across > the firewall boundary. > > Additionally, even if an intruder does not have control of a host > inside the firewall, he may be able to use this vulnerability as a > means of exploiting another vulnerability in software listening > passively on the internal network. > > Finally, an intruder may be able to use this vulnerability to launch > certain kinds of denial-of-service attacks. > >III. Solutions > > Install a patch from Check Point Software Technologies. More > information is available in Appendix A. > > Until a patch can be applied, you may be able to reduce your exposure > to this vulnerability by configuring your router to block access to > 259/UDP at your network perimeter. > >Appendix A > >Check Point > > Check Point has issued an alert for this vulnerability at > > http://www.checkpoint.com/techsupport/alerts/ > > Download the patch from Check Point's web site: > > http://www.checkpoint.com/techsupport/downloads.html > >Appendix B. - References > > 1. http://www.inside-security.de/advisories/fw1_rdp.html > 2. http://www.kb.cert.org/vuls/id/310295 > 3. http://www.ietf.org/rfc/rfc908.txt > 4. http://www.ietf.org/rfc/rfc1151.txt > _________________________________________________________________ > > Our thanks to Inside Security GmbH for the information contained in > their advisory. > _________________________________________________________________ > > This document was written by Ian A. Finlay. If you have feedback > concerning this document, please send email to: > > mailto:[email protected]?Subject=Feedback CA-2001-17 [VU#310295] > > Copyright 2001 Carnegie Mellon University. > > Revision History >July 09, 2001: Initial Release > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.0i for non-commercial use >Charset: noconv > >iQCVAwUBO0njBQYcfu8gsZJZAQHOCAP+L8JEWTsWqvWjZQaVpHPb6GHn7D837lzc >rE/ef50+6xSzRZyBPXQ8+3N6JqYk8PBufYCcqtiqL1PfNJw3YfrGJ5irzS4ENXTg >mupUNTfdG0UhEAOWJbsjykfB0K/PPaeFrtf1jod1zd9uKPIFytHLAzMHWzUwTTtW >4qSlIxoiHEQ= >=v8vs >-----END PGP SIGNATURE----- > > > > > >=========================================================================== ===== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=========================================================================== ===== > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|