If "Accept FIrewall-1 Control Connections" is "off" on a limited user count
FW1, is this still an issue?
-Robert
At 07:34 PM 7/9/01 -0500, Oscar Aviles wrote:
>
>
>
> Look that friends....
>
>
>
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>CERT Advisory CA-2001-17 Check Point RDP Bypass Vulnerability
>
> Original release date: July 09, 2001
> Last revised: --
> Source: CERT/CC
>
> A complete revision history is at the end of this file.
>
>Systems Affected
>
> * Check Point VPN-1 and FireWall-1 Version 4.1
>
>Overview
>
> A vulnerability in Check Point FireWall-1 and VPN-1 may allow an
> intruder to pass traffic through the firewall on port 259/UDP.
>
>I. Description
>
> Inside Security GmbH has discovered a vulnerability in Check Point
> FireWall-1 and VPN-1 that allows an intruder to bypass the firewall.
> The default FireWall-1 management rules allow arbitrary RDP (Reliable
> Data Protocol) connections to traverse the firewall. RFC-908 and
> RFC-1151 describe the Reliable Data Protocol (RDP). Quoting from
> RFC-908:
>
> The Reliable Data Protocol (RDP) is designed to provide a reliable
> data transport service for packet-based applications such as remote
> loading and debugging.
>
> RDP was designed to have much of the same functionality as TCP, but it
> has some advantages over TCP in certain situations. FireWall-1 and
> VPN-1 include support for RDP, but they do not provide adequate
> security controls. Quoting from the advisory provided by Inside
> Security GmbH:
>
> By adding a faked RDP header to normal UDP traffic any content can
> be passed to port 259 on any remote host on either side of the
> firewall.
>
> For more information, see the Inside Security GmbH security advisory,
> available at
>
> http://www.inside-security.de/advisories/fw1_rdp.html
>
> Although the CERT/CC has not seen any incident activity related to
> this vulnerability, we do recommend that all affected sites upgrade
> their Check Point software as soon as possible.
>
>II. Impact
>
> An intruder can pass UDP traffic with arbitrary content through the
> firewall on port 259 in violation of implied security policies.
>
> If an intruder can gain control of a host inside the firewall, he may
> be able to use this vulnerability to tunnel arbitrary traffic across
> the firewall boundary.
>
> Additionally, even if an intruder does not have control of a host
> inside the firewall, he may be able to use this vulnerability as a
> means of exploiting another vulnerability in software listening
> passively on the internal network.
>
> Finally, an intruder may be able to use this vulnerability to launch
> certain kinds of denial-of-service attacks.
>
>III. Solutions
>
> Install a patch from Check Point Software Technologies. More
> information is available in Appendix A.
>
> Until a patch can be applied, you may be able to reduce your exposure
> to this vulnerability by configuring your router to block access to
> 259/UDP at your network perimeter.
>
>Appendix A
>
>Check Point
>
> Check Point has issued an alert for this vulnerability at
>
> http://www.checkpoint.com/techsupport/alerts/
>
> Download the patch from Check Point's web site:
>
> http://www.checkpoint.com/techsupport/downloads.html
>
>Appendix B. - References
>
> 1. http://www.inside-security.de/advisories/fw1_rdp.html
> 2. http://www.kb.cert.org/vuls/id/310295
> 3. http://www.ietf.org/rfc/rfc908.txt
> 4. http://www.ietf.org/rfc/rfc1151.txt
> _________________________________________________________________
>
> Our thanks to Inside Security GmbH for the information contained in
> their advisory.
> _________________________________________________________________
>
> This document was written by Ian A. Finlay. If you have feedback
> concerning this document, please send email to:
>
> mailto:[EMAIL PROTECTED]?Subject=Feedback CA-2001-17 [VU#310295]
>
> Copyright 2001 Carnegie Mellon University.
>
> Revision History
>July 09, 2001: Initial Release
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 5.0i for non-commercial use
>Charset: noconv
>
>iQCVAwUBO0njBQYcfu8gsZJZAQHOCAP+L8JEWTsWqvWjZQaVpHPb6GHn7D837lzc
>rE/ef50+6xSzRZyBPXQ8+3N6JqYk8PBufYCcqtiqL1PfNJw3YfrGJ5irzS4ENXTg
>mupUNTfdG0UhEAOWJbsjykfB0K/PPaeFrtf1jod1zd9uKPIFytHLAzMHWzUwTTtW
>4qSlIxoiHEQ=
>=v8vs
>-----END PGP SIGNATURE-----
>
>
>
>
>
>===========================================================================
=====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
