Dear Customers and Partners, An IP Fragment-driven Denial of Service vulnerability of FireWall-1 has been brought to the attention of Check Point Software Technologies. For more information, please reference the following URL: http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html Summary of Vulnerability: It has been determined that a stream of large IP fragments can cause the FireWall-1 code that logs the fragmentation event to consume most available host system CPU cycles. It should be noted that no unauthorized access, information leakage, or fragment passing occurs. The vulnerability was discovered by Lance Spitzner ([EMAIL PROTECTED]) and has been confirmed by Check Point. Testing by Check Point indicates that versions 4.0 and 4.1 of FireWall-1 can be impacted (versions earlier then the 4.0 version were not tested). Detail of Vulnerability: For security reasons (e.g., overlay attacks) FireWall-1 reassembles all IP fragments of a datagram prior to inspection against the security policy. After reassembly, the packet is processed by the FireWall-1 Stateful Inspection engine, and if allowed by the security policy to proceed, the packet is refragmented and forwarded. To identify and audit attacks such as Ping of Death, Check Point added a mechanism to FireWall-1 - outside of its standard logging capability - to log certain events that occur during the FireWall-1 virtual reassembly process. This fragmentation logging takes place on the gateway itself and not on the management station (relevant for distributed management deployments). The authors used jolt2 to send a stream of extremely large IP fragments to a FireWall-1 gateway, which in some cases can cause the write mechanism to grab all host CPU resources. There is no fragmentation tracking resource that is exhausted; it is the case that the fragmentation logging process is the cause of this issue. Minimizing the possible threat: Check Point is in the process of building new kernel binaries that will modify the mechanism by which fragment events are written to the host system console, as well as providing configurable options as to how often to log. In addition and independent of the console message writing, with the new binaries FireWall-1 administrators will be able use the Check Point log file method for reporting fragmentation events. These binaries will be released shortly in Service Pack 2 of FireWall-1 version 4.1, for 4.1 users, and as a Service Pack 6 Hot Fix for FireWall-1 version 4.0 users. A follow up response will be made to this forum when this software is available. As an interim workaround, customers can disable the console logging, thereby mitigating this issue by using the following command line on their FireWall-1 module(s): $FWDIR/bin/fw ctl debug -buf This takes effect immediately. This command can be added to the $FWDIR/bin/fw/fwstart command in order to be enabled when the firewall software is restarted. It should be noted that although this command will disable fragmentation console output messages, standard log messages (e.g., Long, Short, control messages, etc.) will continue to operate in their traditional way. Disclaimers: All information included in this response is based on available knowledge at the time of this publication. This information is supplied as a service and is not binding on Check Point Technical Support. Additional Information: For those not having a technical support contract with Check Point Software Technologies, please contact Check Point at 1-650-628-2000 or your local reseller. Additional information on this matter and other technical support issues is available at www.checkpoint.com/techsupport. Thank you, Check Point Support ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
