Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FW: CERT Advisory CA-2001-17

To: "'''Fw-1-Mailinglist" <[email protected]>
Subject: RE: [FW1] FW: CERT Advisory CA-2001-17
From: "Juppunov, George" <[email protected]>
Date: Wed, 11 Jul 2001 10:35:37 -0700
Sender: [email protected]


Ralf,

There are several aspects to the latest CheckPoint vulnerability. 

RDP is a CP proprietary protocol, which does not comply to the RFC.
Presumably it largely did comply, which is why they 
were able to exploit it i.e. craft a packet by RFC specs and Firewall-1's
predictably processed it.

The exposure is not as much the gateway as the networks or hosts behind it.
I other words, if you target a host in your internal 
network on port 259 (or vice versa) Firewall-1 would by default pass the
packet whether or not you have a rule that allows the 
communication path. In other words, if I plug an executable in your WWW
server on the DMZ, I would be able to communicate 
with the outside (i.e. my battle station) whether or not you are allowing
your WWW server to establish outbound connections. 

To some extent, the implications of the vulnerability relate more to your
containment strategy than to your exposure. Although I 
cannot speak for NT environments, in the Unix world, in order to bind a
lower port you need to execute your program with root's uid. 
For all intents and purposes, at this point it's game over. Once an intruder
has acquired unauthorized access to  a host, containment 
is a little e bit trickier, i.e. you don't want him to publish your
customers' passwords on the web. In this respect not having this
surreptitious
path allowed might help, although even then it's a moot point. A good
hacker, and most of them a pretty good, could easily find let's say
your mailhub's IP address (probably a host on the DMZ), either exploit the
mailhub, or spoof the IP address and open a feed back 
connection on port 25. Your firewall will be more than happy to allow that
etc. etc.

I'm not suggesting you ignore the vulnerability, but don't lose your sleep
over it yet. Make sure your Inet exposed hosts are secured, 
and your IDS sensors tuned up; take your security audits seriously and keep
your rules tight.

That's my .02 cents anyway.

Cheers.
George


_____________________________________________________________________ 
IMPORTANT NOTICES: 
          This message is intended only for the addressee. Please notify the
sender by e-mail if you are not the intended recipient. If you are not the
intended recipient, you may not copy, disclose, or distribute this message
or its contents to any other person and any such actions may be unlawful.

         Banc of America Securities LLC("BAS") does not accept time
sensitive, action-oriented messages or transaction orders, including orders
to purchase or sell securities, via e-mail.

         BAS reserves the right to monitor and review the content of all
messages sent to or from this e-mail address. Messages sent to or from this
e-mail address may be stored on the BAS e-mail system.




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] List Archive
Next by Date: Re: [FW1] Gigabit Throughput
Previous by thread: Re: [FW1] FW: CERT Advisory CA-2001-17
Next by thread: [FW1] new checkpoint security flaw with RDP
Index(es):
- Date
- Thread