Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-97.161 -- SNI Checkpoint Firewall-1 Security Advisory 11 December 1997 =========================================================================== SNI has released the following advisory concerning a security problem with Checkpoint Firewall-1. This vulnerability may allow unauthorized users to access the SNMP daemon running on the firewall. The following security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write this document, AUSCERT has had no control over its content. As such, the decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It will not be updated when the original bulletin is. If downloading at a later date, it is recommended that the bulletin is retrieved from the original authors to ensure that the information is still current. Contact information for SNI is included in the Security Bulletin below. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/information/advisories.html If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: firstname.lastname@example.org Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Facsimile: (07) 3365 7031 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory December 9, 1997 Checkpoint Firewall-1 Security Advisory This advisory addresses a security problem present in Checkpoint Firewall-1 which allows unauthorized users to access the SNMP daemon running on the firewall. This allows outsiders to obtain internal and confidential information about the installation and operation of the firewall and the network which it protects, without being traced. Problem Description: ~~~~~~~~~~~~~~~~~~~~ The default recommended configuration of Firewall-1 allows outside users to obtain confidential operation and statistical information from the Simple Network Management Protocol (SNMP) daemon. Once obtained, this information can be used by potential intruders to find vulnerabilities in the firewall or connected systems. In addition, potential intruders can obtain statistics on the firewall's operation. Finding software on the firewall with known vulnerabilities can, in some cases, be exploited immediately to cause a Denial Of Service (DOS) attack. It is possible for people wishing to see the volume of traffic going in and out of a target firewall's network to obtain this information in a form that can be directly imported into any number of network monitoring tools that can graph it by time of day. Technical Details: ~~~~~~~~~~~~~~~~~~ Firewall-1 makes use of the SNMP service on all platforms to obtain information about the machine on which the firewall is running, and to show the user real-time statistics about the firewall. For those unfamiliar with the Firewall-1 user interface, the first option available in the global properties dialog box is: "Enable Firewall-1 Control Connections [Essential]" . The word 'Essential' is contained in the user interface window itself, causing unfamiliar users to be very reluctant to remove it since they feel the vendor should know best about this. The default configuration is to have this selected and marked "First" so that it is evaluated BEFORE the rule-set defined by the firewall administrator. Since Firewall-1 operations on a first-match rather than a best-match principle, nothing in the rule-set overrides this. The documentation makes it very clear that while this box is selected, control connections required for use of the remote GUI are only allowed if the IP address is listed in a specific text file. All other connection attempts will be rejected. No mention is made of the fact that access is allowed to the SNMP ports from any address. If access were restricted to addresses that appear in the text file, this problem would be present to a lesser degree, allowing an attacker to spoof UDP packets to set variables, without needing to receive a reply. The SNMP daemon reveals the version of the operating system and Firewall, as well as the configuration of the security perimeter such as the presence or absence of a service network (DMZ). The OS vendor's SNMP daemon will generally make available information such as a list of all active connections, a list of all running services and the entire routing table (which if the firewall runs RIP contains a sizable amount of information). Information such as the amount of traffic traveling on any given interface can be useful for competitors gaining information on network traffic. In addition to the standard MIB, various vendors make their own information available via enterprise MIBs. As the referance section to this advisory notes, this may be important for NT users of the Checkpoint firewall . Checkpoint has their own enterprise mib (enterprises.1919). This provides other information useful to the potential intruder such as the number of denied, dropped, allowed and logged packets as well as the current state of the firewall. Provided as well, is the text of the last SNMP trap generated. To an intruder, the information obtained can in many cases point them directly to a way in which they can gain remote access to the protected network. Access to the SNMP daemon is allowed in Rule-set 0 (properties) no logging of these accesses is made. Vulnerable Operating Systems and Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ All platforms running versions of Firewall-1 from Checkpoint where the administrator has not disabled the "Enable Remote Connections" option from the Properties, or has in some other way enabled access to the SNMP server on the firewall. Fix Information ~~~~~~~~~~~~~~~ Vendor Patch: According to Checkpoint Software a patch for this problem is available via: http://www.checkpoint.com/support It should be noted that this URL is password protected and is only accessable via Checkpoint authorized resellers. Quick Fix: Immediately unselect the "Enable Remote Connections" option. Also, block all SNMP traffic at your border router (udp port 161). If you absolutely require remote access, a qualified security administrator can assist you in designing a policy that grants this access in the regular rule-base. Please note that this suggestion is not supported by Checkpoint and is provided within this advisory on an 'AS IS' basis. SNI (Secure Networks Inc.) accepts no liabilty for this suggested fix, and end users should apply it only after consulting their in-house security administrator. Additional Information ~~~~~~~~~~~~~~~~~~~~~~ The information provided in this advisory was provided to SNI by Steve Birnbaum <email@example.com>. References ~~~~~~~~~~  Managing Firewall-1 Using the Windows GUI, figure 1-11.  Bugtraq mailing list post concerning MIB enterprises.77 A recent post to a security mailing list by Christopher Rouland (CRouland@EXAMNYC.lehman.com) pointed out that the Microsoft lan-manager enterprise MIB (enterprises.77) listed vast amounts of information that should be heavily guarded. This includes a list of running services and their state, a list of all users that exist on the machine, any connected shares and the number of failed password attempts among other things. Further, he found a certain variable that could be set to 0 in Microsoft's enterprise mib which resulted in a clearing of the WINS database. Giving such information as the presence of any shares and the user list on a firewall is a possibly disastrous breach of security. Contacting Secure Networks Inc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can subscribe to our security advisory mailing list by sending mail to firstname.lastname@example.org, containing the single line: subscribe sni-advisories You can browse our web site at http://www.secnet.com You can contact Secure Networks Inc. at <email@example.com> using the following PGP key: Type Bits/KeyID Date User ID pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <firstname.lastname@example.org> Secure Networks <email@example.com> - - - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5 uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz 9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA 8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5 ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8 =DchE - - - -----END PGP PUBLIC KEY BLOCK----- Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNI3ehbgIhFKeVQANAQFynQP/fWyuQA0Q5mS6uVw4aFaz+uKxIX7oZ+jY ei0+UsnvNllOEIiG/azCRfH277iqOae6vyH/oCiu2dWMtx7t1PYPVlcYo1KZyg6N 764Y1VakjGTz+/Gvw7edwFit5PWcphzFuWUO0uhobZUZeXm8qh89BFAO4JlJTdsg stxVEGHmj88= =kr0g - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBNI/yHSh9+71yA2DNAQEJawP9EBxUpPYOQeeWdpHIvsZLxxAN68ycgD49 HYJs5IRC0Lmcy42tpPk0YDJBmMFzbZHA6SPHN977IRZD5hcjPeZAIl+FXf3fJTzI o9KRAOju8lYeG340abrGKjFQQ62q4HSWiv4OzPZssmKGxL7iR3sHI/BXOI+7EVi5 rnW0R94kSok= =5wNb -----END PGP SIGNATURE-----