AUSCERT External Security Bulletin Redistribution

     ESB-2004.0097 -- US-CERT Technical Cyber Security Alert TA04-036A
          HTTP Parsing Vulnerabilities in Check Point Firewall-1
                             06 February 2004


        AusCERT Security Bulletin Summary

Product:                Check Point Firewall-1 NG FCS
                        Check Point Firewall-1 NG FP1
                        Check Point Firewall-1 NG FP2
                        Check Point Firewall-1 NG FP3, HF2
                        Check Point Firewall-1 NG with Application
                        Intelligence R54
                        Check Point Firewall-1 NG with Application
                        Intelligence R55
Publisher:              US-CERT
Operating System:       Nokia IPSO
Impact:                 Administrator/Root Compromise
Access Required:        Remote
CVE Names:              CAN-2004-0039

Ref:                    ESB-2004.0094

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

HTTP Parsing Vulnerabilities in Check Point Firewall-1

   Original release date: February 05, 2004
   Last revised: --
   Source: US-CERT

   A complete revision history can be found at the end of this file.

Systems Affected

     * Check Point Firewall-1 NG FCS
     * Check Point Firewall-1 NG FP1
     * Check Point Firewall-1 NG FP2
     * Check Point Firewall-1 NG FP3, HF2
     * Check Point Firewall-1 NG with Application Intelligence R54
     * Check Point Firewall-1 NG with Application Intelligence R55


   Several versions of Check Point Firewall-1 contain a vulnerability that
   allows remote attackers to execute arbitrary code with administrative
   privileges. This allows the attacker to take control of the firewall,
   and in some cases, to also control the server it runs on.

I. Description

   The Application Intelligence (AI) component of Check Point Firewall-1
   is an application proxy that scans traffic for application layer
   attacks once it has passed through the firewall at the network level.
   Earlier versions of Firewall-1 include the HTTP Security Server, which
   provides similar functionality.

   Both the AI and HTTP Security Server features contain an HTTP parsing
   vulnerability that is triggered by sending an invalid HTTP request
   through the firewall. When Firewall-1 generates an error message in
   response to the invalid request, a portion of the input supplied by the
   attacker is included in the format string for a call to sprintf().

   Researchers at Internet Security Systems have determined that it is
   possible to exploit this format string vulnerability to execute
   commands on the firewall. The researchers have also determined that
   this vulnerability can be exploited as a heap overflow, which would
   allow an attacker to execute arbitrary code. In either case, the
   commands or code executed by the attacker would run with administrative
   privileges, typically "SYSTEM" or "root". For more information, please
   see the ISS advisory at:


   The CERT/CC is tracking this issue as VU#790771. This reference number
   corresponds to CVE candidate CAN-2004-0039.

II. Impact

   This vulnerability allows remote attackers to execute arbitrary code on
   affected firewalls with administrative privileges, typically "SYSTEM"
   or "root". Failed attempts to exploit this vulnerability may cause the
   firewall to crash.

III. Solution

   Apply the patch from Check Point

   Check Point has published a "Firewall-1 HTTP Security Server Update"
   that modifies the error return strings used when an invalid HTTP
   request is detected. For more information, please see the Check Point
   bulletin at:


   This update prevents attackers from using several known error strings
   to exploit this vulnerability. It is unclear at this time whether there
   are other attack vectors that may still allow exploitation of the
   underlying software defect.

   Disable the affected components

   Check Point has reported that their products are only affected by this
   vulnerability if the HTTP Security Servers feature is enabled.
   Therefore, affected sites may be able to limit their exposure to this
   vulnerability by disabling HTTP Security Servers or the Application
   Intelligence component, as appropriate.

   This vulnerability was discovered and researched by Mark Dowd of ISS

   This document was written by Jeffrey P. Lanza.

   This document is available from:

   Copyright 2004 Carnegie Mellon University.

   Revision History
   Feb 05, 2004:  Initial release
Version: GnuPG v1.2.1 (GNU/Linux)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967