[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] FW: CERT Advisory CA-2001-17
Ralf, There are several aspects to the latest CheckPoint vulnerability. RDP is a CP proprietary protocol, which does not comply to the RFC. Presumably it largely did comply, which is why they were able to exploit it i.e. craft a packet by RFC specs and Firewall-1's predictably processed it. The exposure is not as much the gateway as the networks or hosts behind it. I other words, if you target a host in your internal network on port 259 (or vice versa) Firewall-1 would by default pass the packet whether or not you have a rule that allows the communication path. In other words, if I plug an executable in your WWW server on the DMZ, I would be able to communicate with the outside (i.e. my battle station) whether or not you are allowing your WWW server to establish outbound connections. To some extent, the implications of the vulnerability relate more to your containment strategy than to your exposure. Although I cannot speak for NT environments, in the Unix world, in order to bind a lower port you need to execute your program with root's uid. For all intents and purposes, at this point it's game over. Once an intruder has acquired unauthorized access to a host, containment is a little e bit trickier, i.e. you don't want him to publish your customers' passwords on the web. In this respect not having this surreptitious path allowed might help, although even then it's a moot point. A good hacker, and most of them a pretty good, could easily find let's say your mailhub's IP address (probably a host on the DMZ), either exploit the mailhub, or spoof the IP address and open a feed back connection on port 25. Your firewall will be more than happy to allow that etc. etc. I'm not suggesting you ignore the vulnerability, but don't lose your sleep over it yet. Make sure your Inet exposed hosts are secured, and your IDS sensors tuned up; take your security audits seriously and keep your rules tight. That's my .02 cents anyway. Cheers. George _____________________________________________________________________ IMPORTANT NOTICES: This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful. Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|