View Source

<FONT FACE="Verdana">

Original release date: July 09, 2001<BR>
Last revised: July 12, 2001<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>
<ul>
<li>Check Point VPN-1 and FireWall-1 Version 4.0 & 4.1</li> 
</ul>

<A NAME="overview">
<H2>Overview</H2>
<P>

<p>A vulnerability in Check Point FireWall-1 and VPN-1 may allow an
intruder to pass traffic through the firewall on port 259/UDP.

</P>
<A NAME="description">
<H2>I. Description</H2>

<p><A HREF="http://www.inside-security.de/about_us/">Inside Security
GmbH</A> has discovered a vulnerability in Check Point FireWall-1 and
VPN-1 that allows an intruder to bypass the firewall. The default
FireWall-1 management rules allow arbitrary RDP connections to
traverse the firewall. 

<p>FireWall-1 and VPN-1 include support for RDP, but they do not provide
adequate security controls. Quoting from the advisory provided by
Inside Security GmbH:

<BLOCKQUOTE>
By adding a faked RDP header to normal UDP traffic any content can be
passed to port 259 on any remote host on either side of the firewall.
</BLOCKQUOTE>

<P>For more information, see the Inside Security GmbH security advisory,
available at

<dl>
<dd>
<A
HREF="http://www.inside-security.de/advisories/fw1_rdp.html">http://www.inside-security.de/advisories/fw1_rdp.html</a>
</dd>
</dl> 

<p>Although the CERT/CC has not seen any incident activity related to
this vulnerability, we do recommend that all affected sites upgrade
their Check Point software as soon as possible.

<A NAME="impact">
<H2>II. Impact</H2>

<p>An intruder can pass UDP traffic with arbitrary content through the
firewall on port 259 in violation of implied security policies.

<p>If an intruder can gain control of a host inside the firewall, he
may be able to use this vulnerability to tunnel arbitrary traffic
across the firewall boundary.


<p>Additionally, even if an intruder does not have control of a host
inside the firewall, he may be able to use this vulnerability as a
means of exploiting another vulnerability in software listening
passively on the internal network.

<p>Finally, an intruder may be able to use this vulnerability to
launch certain kinds of denial-of-service attacks.

<A NAME="solution">
<H2>III. Solutions</H2> 

<p>Install a patch from Check Point Software Technologies. More
information is available in Appendix A.

<p>Until a patch can be applied, you may be able to reduce your
exposure to this vulnerability by configuring your router to block
access to 259/UDP at your network perimeter.

<A NAME="vendors">
<H2>Appendix A</H2> 

<h4>Check Point</h4>

Check Point has issued an alert for this vulnerability at
<BR>
<DL><DD>
<a href="http://www.checkpoint.com/techsupport/alerts/rdp.html">http://www.checkpoint.com/techsupport/alerts/rdp.html</a>
</DL>
</P>

<P>
Download the patch from Check Point's web site:

<DL><DD>
<a href="http://www.checkpoint.com/techsupport/downloads.html">http://www.checkpoint.com/techsupport/downloads.html</a>
</DL>

</P>

<A NAME="references"><H2>Appendix B. - References</H2></A>

<ol>
<li><a href="http://www.inside-security.de/advisories/fw1_rdp.html">http://www.inside-security.de/advisories/fw1_rdp.html</a><BR>
<li><a href="http://www.kb.cert.org/vuls/id/310295">http://www.kb.cert.org/vuls/id/310295</a><BR>
</ol>

<HR>

<P> Our thanks to Inside Security GmbH for the information contained
in their advisory.

<HR NOSHADE>

<P>This document was written by Ian A. Finlay. If you have feedback
concerning this document, please send email to:

<DL><DD>
<a
href="mailto:cert@cert.org?Subject=Feedback%20CA-2001-17%20[VU%23310295]">mailto:cert@cert.org?Subject=Feedback CA-2001-17 [VU#310295]</a>
</DL>

<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
July 09, 2001: Initial Release
July 09, 2001: Removed references to RFC's describing RDP. Specifically, 
               we removed the references to RFC-908 and RFC-1151.

July 09, 2001: Added reference to Check Point's security document.
July 12, 2001: Added version 4.0 to systems affected section.
</PRE>

<!-- This completes the table started in *_titlebar.html -->
</TD>
</TR>
</TABLE>
</DIV>
</BODY>
</HTML>