Last revised: July 12, 2001
Source: CERT/CC
A complete revision history is at the end of this file.
A vulnerability in Check Point FireWall-1 and VPN-1 may allow an
intruder to pass traffic through the firewall on port 259/UDP.
Inside Security
GmbH has discovered a vulnerability in Check Point FireWall-1 and
VPN-1 that allows an intruder to bypass the firewall. The default
FireWall-1 management rules allow arbitrary RDP connections to
traverse the firewall.
FireWall-1 and VPN-1 include support for RDP, but they do not provide
adequate security controls. Quoting from the advisory provided by
Inside Security GmbH:
For more information, see the Inside Security GmbH security advisory,
available at
Although the CERT/CC has not seen any incident activity related to
this vulnerability, we do recommend that all affected sites upgrade
their Check Point software as soon as possible.
An intruder can pass UDP traffic with arbitrary content through the
firewall on port 259 in violation of implied security policies.
If an intruder can gain control of a host inside the firewall, he
may be able to use this vulnerability to tunnel arbitrary traffic
across the firewall boundary.
Additionally, even if an intruder does not have control of a host
inside the firewall, he may be able to use this vulnerability as a
means of exploiting another vulnerability in software listening
passively on the internal network.
Finally, an intruder may be able to use this vulnerability to
launch certain kinds of denial-of-service attacks.
Install a patch from Check Point Software Technologies. More
information is available in Appendix A.
Until a patch can be applied, you may be able to reduce your
exposure to this vulnerability by configuring your router to block
access to 259/UDP at your network perimeter.
Download the patch from Check Point's web site:
Our thanks to Inside Security GmbH for the information contained
in their advisory.
This document was written by Ian A. Finlay. If you have feedback
concerning this document, please send email to:
Copyright 2001 Carnegie Mellon University. Revision History
Systems Affected
Overview
I. Description
By adding a faked RDP header to normal UDP traffic any content can be
passed to port 259 on any remote host on either side of the firewall.
II. Impact
III. Solutions
Appendix A
Check Point
Check Point has issued an alert for this vulnerability at
Appendix B. - References
July 09, 2001: Initial Release
July 09, 2001: Removed references to RFC's describing RDP. Specifically,
we removed the references to RFC-908 and RFC-1151.
July 09, 2001: Added reference to Check Point's security document.
July 12, 2001: Added version 4.0 to systems affected section.