<FONT FACE="Verdana">

Original release date: July 09, 2001<BR>
Last revised: July 12, 2001<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>
<li>Check Point VPN-1 and FireWall-1 Version 4.0 & 4.1</li> 

<A NAME="overview">

<p>A vulnerability in Check Point FireWall-1 and VPN-1 may allow an
intruder to pass traffic through the firewall on port 259/UDP.

<A NAME="description">
<H2>I. Description</H2>

<p><A HREF="http://www.inside-security.de/about_us/">Inside Security
GmbH</A> has discovered a vulnerability in Check Point FireWall-1 and
VPN-1 that allows an intruder to bypass the firewall. The default
FireWall-1 management rules allow arbitrary RDP connections to
traverse the firewall. 

<p>FireWall-1 and VPN-1 include support for RDP, but they do not provide
adequate security controls. Quoting from the advisory provided by
Inside Security GmbH:

By adding a faked RDP header to normal UDP traffic any content can be
passed to port 259 on any remote host on either side of the firewall.

<P>For more information, see the Inside Security GmbH security advisory,
available at


<p>Although the CERT/CC has not seen any incident activity related to
this vulnerability, we do recommend that all affected sites upgrade
their Check Point software as soon as possible.

<A NAME="impact">
<H2>II. Impact</H2>

<p>An intruder can pass UDP traffic with arbitrary content through the
firewall on port 259 in violation of implied security policies.

<p>If an intruder can gain control of a host inside the firewall, he
may be able to use this vulnerability to tunnel arbitrary traffic
across the firewall boundary.

<p>Additionally, even if an intruder does not have control of a host
inside the firewall, he may be able to use this vulnerability as a
means of exploiting another vulnerability in software listening
passively on the internal network.

<p>Finally, an intruder may be able to use this vulnerability to
launch certain kinds of denial-of-service attacks.

<A NAME="solution">
<H2>III. Solutions</H2> 

<p>Install a patch from Check Point Software Technologies. More
information is available in Appendix A.

<p>Until a patch can be applied, you may be able to reduce your
exposure to this vulnerability by configuring your router to block
access to 259/UDP at your network perimeter.

<A NAME="vendors">
<H2>Appendix A</H2> 

<h4>Check Point</h4>

Check Point has issued an alert for this vulnerability at
<a href="http://www.checkpoint.com/techsupport/alerts/rdp.html">http://www.checkpoint.com/techsupport/alerts/rdp.html</a>

Download the patch from Check Point's web site:

<a href="http://www.checkpoint.com/techsupport/downloads.html">http://www.checkpoint.com/techsupport/downloads.html</a>


<A NAME="references"><H2>Appendix B. - References</H2></A>

<li><a href="http://www.inside-security.de/advisories/fw1_rdp.html">http://www.inside-security.de/advisories/fw1_rdp.html</a><BR>
<li><a href="http://www.kb.cert.org/vuls/id/310295">http://www.kb.cert.org/vuls/id/310295</a><BR>


<P> Our thanks to Inside Security GmbH for the information contained
in their advisory.


<P>This document was written by Ian A. Finlay. If you have feedback
concerning this document, please send email to:

href="mailto:cert@cert.org?Subject=Feedback%20CA-2001-17%20[VU%23310295]">mailto:cert@cert.org?Subject=Feedback CA-2001-17 [VU#310295]</a>

<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
July 09, 2001: Initial Release
July 09, 2001: Removed references to RFC's describing RDP. Specifically, 
               we removed the references to RFC-908 and RFC-1151.

July 09, 2001: Added reference to Check Point's security document.
July 12, 2001: Added version 4.0 to systems affected section.

<!-- This completes the table started in *_titlebar.html -->