NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] CERT Advisory CA-2001-17




Martin, my postings to the list about this didn't make it yet -at least not
back to me- but if the Gurus here don't say otherwise there's no magic
involved:

If a host is not listening on a particular port, I can't get anything
through that port on that machine. FW-1 is listening on the vulnerable
ports, if the implied rule for control connections is enabled, therefore
you can reach any machine behind the firewall on those ports without
control. But if the implied rule is off, nada goes. That SP3 disables the
implied rule can't be true, because I've installed numerous firewalls with
it and if it was turned off from the beginning, I wouldn't have been able
to do remote management and set up the initial rulebase with specific rules
for management and then turn the implied rule off.

Now, who's right? George, Carl, Amin, anyone?? <g>

Cheers
Ralf





                                                                                                           
                    "Martin, Kevin T"                                                                      
                    <kevin.t.martin@bankofam        To:     [email protected], [email protected]            
                    erica.com>                      cc:     [email protected]   
                                                    Subject:     RE: [FW1] CERT Advisory CA-2001-17        
                    11.07.01 18:09                                                                         
                                                                                                           
                                                                                                           




I'm not sure that this is true.  I say that because Checkpoint disabled
"Accept FIrewall-1 Control Connections" by default w/ SP3 to fix an exploit
found at the BlackHat conference and the RDP exploit is still workable.

Kevin Martin
Bank of America
[email protected]


-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Wednesday, July 11, 2001 5:17 AM
To: Robert C. Wessel
Cc: [email protected]
Subject: Re: [FW1] CERT Advisory CA-2001-17




Robert,

I had the same question (and posted it too quickly to the list)  but if you
carefully read the original advisory on inside-security's website you will
see that it's not an issue then.

If you follow the recommended path of disabling implied rules completely
and use specific rules in the rulebase for managment connections et al
you're fine. You could also glean this from Amin Tora's first posting...

Cheers
Ralf








                    "Robert C. Wessel"

                    <[email protected]>                        To:
Oscar Aviles <[email protected]>,
                    Sent by:
"'[email protected]'"
                    [email protected]
<[email protected]>
                    kpoint.com                                  cc:

                                                                Subject:
Re: [FW1] CERT Advisory CA-2001-17


                    10.07.01 12:26










If "Accept FIrewall-1 Control Connections" is "off" on a limited user count
FW1, is this still an issue?

-Robert

At 07:34 PM 7/9/01 -0500, Oscar Aviles wrote:
>
>
>
>       Look that friends....
>
>
>
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>CERT Advisory CA-2001-17 Check Point RDP Bypass Vulnerability
>
>   Original release date: July 09, 2001
>   Last revised: --
>   Source: CERT/CC
>
>   A complete revision history is at the end of this file.
>
>Systems Affected
>
>     * Check Point VPN-1 and FireWall-1 Version 4.1
>
>Overview
>
>   A vulnerability in Check Point FireWall-1 and VPN-1 may allow an
>   intruder to pass traffic through the firewall on port 259/UDP.
>
>I. Description
>
>   Inside Security GmbH has discovered a vulnerability in Check Point
>   FireWall-1 and VPN-1 that allows an intruder to bypass the firewall.
>   The default FireWall-1 management rules allow arbitrary RDP (Reliable
>   Data Protocol) connections to traverse the firewall. RFC-908 and
>   RFC-1151 describe the Reliable Data Protocol (RDP). Quoting from
>   RFC-908:
>
>     The Reliable Data Protocol (RDP) is designed to provide a reliable
>     data transport service for packet-based applications such as remote
>     loading and debugging.
>
>   RDP was designed to have much of the same functionality as TCP, but it
>   has some advantages over TCP in certain situations. FireWall-1 and
>   VPN-1 include support for RDP, but they do not provide adequate
>   security controls. Quoting from the advisory provided by Inside
>   Security GmbH:
>
>     By adding a faked RDP header to normal UDP traffic any content can
>     be passed to port 259 on any remote host on either side of the
>     firewall.
>
>   For more information, see the Inside Security GmbH security advisory,
>   available at
>
>          http://www.inside-security.de/advisories/fw1_rdp.html
>
>   Although the CERT/CC has not seen any incident activity related to
>   this vulnerability, we do recommend that all affected sites upgrade
>   their Check Point software as soon as possible.
>
>II. Impact
>
>   An intruder can pass UDP traffic with arbitrary content through the
>   firewall on port 259 in violation of implied security policies.
>
>   If an intruder can gain control of a host inside the firewall, he may
>   be able to use this vulnerability to tunnel arbitrary traffic across
>   the firewall boundary.
>
>   Additionally, even if an intruder does not have control of a host
>   inside the firewall, he may be able to use this vulnerability as a
>   means of exploiting another vulnerability in software listening
>   passively on the internal network.
>
>   Finally, an intruder may be able to use this vulnerability to launch
>   certain kinds of denial-of-service attacks.
>
>III. Solutions
>
>   Install a patch from Check Point Software Technologies. More
>   information is available in Appendix A.
>
>   Until a patch can be applied, you may be able to reduce your exposure
>   to this vulnerability by configuring your router to block access to
>   259/UDP at your network perimeter.
>
>Appendix A
>
>Check Point
>
>   Check Point has issued an alert for this vulnerability at
>
>          http://www.checkpoint.com/techsupport/alerts/
>
>   Download the patch from Check Point's web site:
>
>          http://www.checkpoint.com/techsupport/downloads.html
>
>Appendix B. - References
>
>    1. http://www.inside-security.de/advisories/fw1_rdp.html
>    2. http://www.kb.cert.org/vuls/id/310295
>    3. http://www.ietf.org/rfc/rfc908.txt
>    4. http://www.ietf.org/rfc/rfc1151.txt
>     _________________________________________________________________
>
>   Our thanks to Inside Security GmbH for the information contained in
>   their advisory.
>     _________________________________________________________________
>
>   This document was written by Ian A. Finlay. If you have feedback
>   concerning this document, please send email to:
>
>          mailto:[email protected]?Subject=Feedback CA-2001-17 [VU#310295]
>
>   Copyright 2001 Carnegie Mellon University.
>
>   Revision History
>July 09, 2001: Initial Release
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 5.0i for non-commercial use
>Charset: noconv
>
>iQCVAwUBO0njBQYcfu8gsZJZAQHOCAP+L8JEWTsWqvWjZQaVpHPb6GHn7D837lzc
>rE/ef50+6xSzRZyBPXQ8+3N6JqYk8PBufYCcqtiqL1PfNJw3YfrGJ5irzS4ENXTg
>mupUNTfdG0UhEAOWJbsjykfB0K/PPaeFrtf1jod1zd9uKPIFytHLAzMHWzUwTTtW
>4qSlIxoiHEQ=
>=v8vs
>-----END PGP SIGNATURE-----
>
>
>
>
>
>
===========================================================================
=====
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>
===========================================================================
=====
>
>


============================================================================

====

     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================

====






============================================================================

====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================

====




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.