<FONT FACE="Verdana"> Original release date: July 09, 2001<BR> Last revised: July 12, 2001<BR> Source: CERT/CC<BR> <P>A complete revision history is at the end of this file. <A NAME="affected"> <H3>Systems Affected</H3> <ul> <li>Check Point VPN-1 and FireWall-1 Version 4.0 & 4.1</li> </ul> <A NAME="overview"> <H2>Overview</H2> <P> <p>A vulnerability in Check Point FireWall-1 and VPN-1 may allow an intruder to pass traffic through the firewall on port 259/UDP. </P> <A NAME="description"> <H2>I. Description</H2> <p><A HREF="http://www.inside-security.de/about_us/">Inside Security GmbH</A> has discovered a vulnerability in Check Point FireWall-1 and VPN-1 that allows an intruder to bypass the firewall. The default FireWall-1 management rules allow arbitrary RDP connections to traverse the firewall. <p>FireWall-1 and VPN-1 include support for RDP, but they do not provide adequate security controls. Quoting from the advisory provided by Inside Security GmbH: <BLOCKQUOTE> By adding a faked RDP header to normal UDP traffic any content can be passed to port 259 on any remote host on either side of the firewall. </BLOCKQUOTE> <P>For more information, see the Inside Security GmbH security advisory, available at <dl> <dd> <A HREF="http://www.inside-security.de/advisories/fw1_rdp.html">http://www.inside-security.de/advisories/fw1_rdp.html</a> </dd> </dl> <p>Although the CERT/CC has not seen any incident activity related to this vulnerability, we do recommend that all affected sites upgrade their Check Point software as soon as possible. <A NAME="impact"> <H2>II. Impact</H2> <p>An intruder can pass UDP traffic with arbitrary content through the firewall on port 259 in violation of implied security policies. <p>If an intruder can gain control of a host inside the firewall, he may be able to use this vulnerability to tunnel arbitrary traffic across the firewall boundary. <p>Additionally, even if an intruder does not have control of a host inside the firewall, he may be able to use this vulnerability as a means of exploiting another vulnerability in software listening passively on the internal network. <p>Finally, an intruder may be able to use this vulnerability to launch certain kinds of denial-of-service attacks. <A NAME="solution"> <H2>III. Solutions</H2> <p>Install a patch from Check Point Software Technologies. More information is available in Appendix A. <p>Until a patch can be applied, you may be able to reduce your exposure to this vulnerability by configuring your router to block access to 259/UDP at your network perimeter. <A NAME="vendors"> <H2>Appendix A</H2> <h4>Check Point</h4> Check Point has issued an alert for this vulnerability at <BR> <DL><DD> <a href="http://www.checkpoint.com/techsupport/alerts/rdp.html">http://www.checkpoint.com/techsupport/alerts/rdp.html</a> </DL> </P> <P> Download the patch from Check Point's web site: <DL><DD> <a href="http://www.checkpoint.com/techsupport/downloads.html">http://www.checkpoint.com/techsupport/downloads.html</a> </DL> </P> <A NAME="references"><H2>Appendix B. - References</H2></A> <ol> <li><a href="http://www.inside-security.de/advisories/fw1_rdp.html">http://www.inside-security.de/advisories/fw1_rdp.html</a><BR> <li><a href="http://www.kb.cert.org/vuls/id/310295">http://www.kb.cert.org/vuls/id/310295</a><BR> </ol> <HR> <P> Our thanks to Inside Security GmbH for the information contained in their advisory. <HR NOSHADE> <P>This document was written by Ian A. Finlay. If you have feedback concerning this document, please send email to: <DL><DD> <a href="mailto:cert@cert.org?Subject=Feedback%20CA-2001-17%20[VU%23310295]">mailto:cert@cert.org?Subject=Feedback CA-2001-17 [VU#310295]</a> </DL> <P>Copyright 2001 Carnegie Mellon University.</P> <P>Revision History <PRE> July 09, 2001: Initial Release July 09, 2001: Removed references to RFC's describing RDP. Specifically, we removed the references to RFC-908 and RFC-1151. July 09, 2001: Added reference to Check Point's security document. July 12, 2001: Added version 4.0 to systems affected section. </PRE> <!-- This completes the table started in *_titlebar.html --> </TD> </TR> </TABLE> </DIV> </BODY> </HTML> |