Published:
09 July 2001
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.276 -- CERT Advisory CA-2001-17 Check Point RDP Bypass Vulnerability 10 July 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Check Point VPN-1 FireWall-1 Version 4.1 Vendor: Check Point Impact: Inappropriate Access Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-17 Check Point RDP Bypass Vulnerability Original release date: July 09, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Check Point VPN-1 and FireWall-1 Version 4.1 Overview A vulnerability in Check Point FireWall-1 and VPN-1 may allow an intruder to pass traffic through the firewall on port 259/UDP. I. Description Inside Security GmbH has discovered a vulnerability in Check Point FireWall-1 and VPN-1 that allows an intruder to bypass the firewall. The default FireWall-1 management rules allow arbitrary RDP (Reliable Data Protocol) connections to traverse the firewall. RFC-908 and RFC-1151 describe the Reliable Data Protocol (RDP). Quoting from RFC-908: The Reliable Data Protocol (RDP) is designed to provide a reliable data transport service for packet-based applications such as remote loading and debugging. RDP was designed to have much of the same functionality as TCP, but it has some advantages over TCP in certain situations. FireWall-1 and VPN-1 include support for RDP, but they do not provide adequate security controls. Quoting from the advisory provided by Inside Security GmbH: By adding a faked RDP header to normal UDP traffic any content can be passed to port 259 on any remote host on either side of the firewall. For more information, see the Inside Security GmbH security advisory, available at http://www.inside-security.de/advisories/fw1_rdp.html Although the CERT/CC has not seen any incident activity related to this vulnerability, we do recommend that all affected sites upgrade their Check Point software as soon as possible. II. Impact An intruder can pass UDP traffic with arbitrary content through the firewall on port 259 in violation of implied security policies. If an intruder can gain control of a host inside the firewall, he may be able to use this vulnerability to tunnel arbitrary traffic across the firewall boundary. Additionally, even if an intruder does not have control of a host inside the firewall, he may be able to use this vulnerability as a means of exploiting another vulnerability in software listening passively on the internal network. Finally, an intruder may be able to use this vulnerability to launch certain kinds of denial-of-service attacks. III. Solutions Install a patch from Check Point Software Technologies. More information is available in Appendix A. Until a patch can be applied, you may be able to reduce your exposure to this vulnerability by configuring your router to block access to 259/UDP at your network perimeter. Appendix A Check Point Check Point has issued an alert for this vulnerability at http://www.checkpoint.com/techsupport/alerts/ Download the patch from Check Point's web site: http://www.checkpoint.com/techsupport/downloads.html Appendix B. - References 1. http://www.inside-security.de/advisories/fw1_rdp.html 2. http://www.kb.cert.org/vuls/id/310295 3. http://www.ietf.org/rfc/rfc908.txt 4. http://www.ietf.org/rfc/rfc1151.txt _________________________________________________________________ Our thanks to Inside Security GmbH for the information contained in their advisory. _________________________________________________________________ This document was written by Ian A. Finlay. If you have feedback concerning this document, please send email to: mailto:cert@cert.org?Subject=Feedback CA-2001-17 [VU#310295] Copyright 2001 Carnegie Mellon University. Revision History July 09, 2001: Initial Release - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO0njBQYcfu8gsZJZAQHOCAP+L8JEWTsWqvWjZQaVpHPb6GHn7D837lzc rE/ef50+6xSzRZyBPXQ8+3N6JqYk8PBufYCcqtiqL1PfNJw3YfrGJ5irzS4ENXTg mupUNTfdG0UhEAOWJbsjykfB0K/PPaeFrtf1jod1zd9uKPIFytHLAzMHWzUwTTtW 4qSlIxoiHEQ= =v8vs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBO0rdByh9+71yA2DNAQG+LgP/XPlOZFxvB4LgfWtyoAxNaByr9V/y19r3 dTyPLofq/nrWykbz72Wpdp1pM4oG27Xhp7B0J6+osQOoe4pKkF2I6RgK2JNx6c1Y i2neAuqsUwnBy7h1MxLj7NIalUHKrDGtRxrVejJh2aEbai6yAjV4NNXXR7tecpuP 5R4tuy1tIWc= =vI2J -----END PGP SIGNATURE-----