Thought this might be useful. Patch available at CP site. Ragu > -----Original Message----- > From: CERT Advisory [ mailto:[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> ] > Sent: Monday, July 09, 2001 10:33 AM > To: [EMAIL PROTECTED] > Subject: CERT Advisory CA-2001-17 > > > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2001-17 Check Point RDP Bypass > Vulnerability > > Original release date: July 09, 2001 > Last revised: -- > Source: CERT/CC > > A complete revision history is at the end of this > file. > > Systems Affected > > * Check Point VPN-1 and FireWall-1 Version 4.1 > > Overview > > A vulnerability in Check Point FireWall-1 and > VPN-1 may allow an > intruder to pass traffic through the firewall on > port 259/UDP. > > I. Description > > Inside Security GmbH has discovered a > vulnerability in Check Point > FireWall-1 and VPN-1 that allows an intruder to > bypass the firewall. > The default FireWall-1 management rules allow > arbitrary RDP (Reliable > Data Protocol) connections to traverse the > firewall. RFC-908 and > RFC-1151 describe the Reliable Data Protocol > (RDP). Quoting from > RFC-908: > > The Reliable Data Protocol (RDP) is designed to > provide a reliable > data transport service for packet-based > applications such as remote > loading and debugging. > > RDP was designed to have much of the same > functionality as TCP, but it > has some advantages over TCP in certain > situations. FireWall-1 and > VPN-1 include support for RDP, but they do not > provide adequate > security controls. Quoting from the advisory > provided by Inside > Security GmbH: > > By adding a faked RDP header to normal UDP > traffic any content can > be passed to port 259 on any remote host on > either side of the > firewall. > > For more information, see the Inside Security > GmbH security advisory, > available at > > > http://www.inside-security.de/advisories/fw1_rdp.html > <http://www.inside-security.de/advisories/fw1_rdp.html> > > > Although the CERT/CC has not seen any incident > activity related to > this vulnerability, we do recommend that all > affected sites upgrade > their Check Point software as soon as possible. > > II. Impact > > An intruder can pass UDP traffic with arbitrary > content through the > firewall on port 259 in violation of implied > security policies. > > If an intruder can gain control of a host inside > the firewall, he may > be able to use this vulnerability to tunnel > arbitrary traffic across > the firewall boundary. > > Additionally, even if an intruder does not have > control of a host > inside the firewall, he may be able to use this > vulnerability as a > means of exploiting another vulnerability in > software listening > passively on the internal network. > > Finally, an intruder may be able to use this > vulnerability to launch > certain kinds of denial-of-service attacks. > > III. Solutions > > Install a patch from Check Point Software > Technologies. More > information is available in Appendix A. > > Until a patch can be applied, you may be able to > reduce your exposure > to this vulnerability by configuring your router > to block access to > 259/UDP at your network perimeter. > > Appendix A > > Check Point > > Check Point has issued an alert for this > vulnerability at > > > http://www.checkpoint.com/techsupport/alerts/ > <http://www.checkpoint.com/techsupport/alerts/> > > Download the patch from Check Point's web site: > > > http://www.checkpoint.com/techsupport/downloads.html > <http://www.checkpoint.com/techsupport/downloads.html> > > > Appendix B. - References > > 1. > http://www.inside-security.de/advisories/fw1_rdp.html > <http://www.inside-security.de/advisories/fw1_rdp.html> > > 2. http://www.kb.cert.org/vuls/id/310295 > <http://www.kb.cert.org/vuls/id/310295> > 3. http://www.ietf.org/rfc/rfc908.txt > <http://www.ietf.org/rfc/rfc908.txt> > 4. http://www.ietf.org/rfc/rfc1151.txt > <http://www.ietf.org/rfc/rfc1151.txt> > > _________________________________________________________________ > > > Our thanks to Inside Security GmbH for the > information contained in > their advisory. > > _________________________________________________________________ > > > This document was written by Ian A. Finlay. If > you have feedback > concerning this document, please send email to: > > mailto:[EMAIL PROTECTED]?Subject=Feedback > <mailto:[EMAIL PROTECTED]?Subject=Feedback> CA-2001-17 > [VU#310295] > > Copyright 2001 Carnegie Mellon University. > > Revision History > July 09, 2001: Initial Release > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 5.0i for non-commercial use > Charset: noconv > > iQCVAwUBO0njBQYcfu8gsZJZAQHOCAP+L8JEWTsWqvWjZQaVpHPb6GHn7D837lzc > > rE/ef50+6xSzRZyBPXQ8+3N6JqYk8PBufYCcqtiqL1PfNJw3YfrGJ5irzS4ENXTg > > mupUNTfdG0UhEAOWJbsjykfB0K/PPaeFrtf1jod1zd9uKPIFytHLAzMHWzUwTTtW > > 4qSlIxoiHEQ= > =v8vs > -----END PGP SIGNATURE----- > __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
