Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0097 -- US-CERT Technical Cyber Security Alert TA04-036A HTTP Parsing Vulnerabilities in Check Point Firewall-1 06 February 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Check Point Firewall-1 NG FCS Check Point Firewall-1 NG FP1 Check Point Firewall-1 NG FP2 Check Point Firewall-1 NG FP3, HF2 Check Point Firewall-1 NG with Application Intelligence R54 Check Point Firewall-1 NG with Application Intelligence R55 Publisher: US-CERT Operating System: Nokia IPSO Linux SecurePlatform Solaris Windows Impact: Administrator/Root Compromise Access Required: Remote CVE Names: CAN-2004-0039 Ref: ESB-2004.0094 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HTTP Parsing Vulnerabilities in Check Point Firewall-1 Original release date: February 05, 2004 Last revised: -- Source: US-CERT A complete revision history can be found at the end of this file. Systems Affected * Check Point Firewall-1 NG FCS * Check Point Firewall-1 NG FP1 * Check Point Firewall-1 NG FP2 * Check Point Firewall-1 NG FP3, HF2 * Check Point Firewall-1 NG with Application Intelligence R54 * Check Point Firewall-1 NG with Application Intelligence R55 Overview Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. This allows the attacker to take control of the firewall, and in some cases, to also control the server it runs on. I. Description The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks once it has passed through the firewall at the network level. Earlier versions of Firewall-1 include the HTTP Security Server, which provides similar functionality. Both the AI and HTTP Security Server features contain an HTTP parsing vulnerability that is triggered by sending an invalid HTTP request through the firewall. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf(). Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. The researchers have also determined that this vulnerability can be exploited as a heap overflow, which would allow an attacker to execute arbitrary code. In either case, the commands or code executed by the attacker would run with administrative privileges, typically "SYSTEM" or "root". For more information, please see the ISS advisory at: http://xforce.iss.net/xforce/alerts/id/162 The CERT/CC is tracking this issue as VU#790771. This reference number corresponds to CVE candidate CAN-2004-0039. II. Impact This vulnerability allows remote attackers to execute arbitrary code on affected firewalls with administrative privileges, typically "SYSTEM" or "root". Failed attempts to exploit this vulnerability may cause the firewall to crash. III. Solution Apply the patch from Check Point Check Point has published a "Firewall-1 HTTP Security Server Update" that modifies the error return strings used when an invalid HTTP request is detected. For more information, please see the Check Point bulletin at: http://www.checkpoint.com/techsupport/alerts/security_server.html This update prevents attackers from using several known error strings to exploit this vulnerability. It is unclear at this time whether there are other attack vectors that may still allow exploitation of the underlying software defect. Disable the affected components Check Point has reported that their products are only affected by this vulnerability if the HTTP Security Servers feature is enabled. Therefore, affected sites may be able to limit their exposure to this vulnerability by disabling HTTP Security Servers or the Application Intelligence component, as appropriate. _________________________________________________________________ This vulnerability was discovered and researched by Mark Dowd of ISS X-Force. _________________________________________________________________ This document was written by Jeffrey P. Lanza. _________________________________________________________________ This document is available from: http://www.us-cert.gov/cas/techalerts/TA04-036A.html _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Revision History Feb 05, 2004: Initial release - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAIsBMXlvNRxAkFWARApI0AKD4vWl9qb4hYtEr+zlkUScaY3PFcwCfRXcG pglRULK2zVbnACsvG9+BEog= =6SAE - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQCMVWCh9+71yA2DNAQHaggP/QDO+ojUgzYGZ/6I4BjwJqc6/eSbjyJxw Yrh2ELcEnbU4lgbBTSGbsgmUfHzjoBOwHhYoPMZ3eMXNWq8IUzz7UJqYWweDg9A7 vE2Wrj1Ti9W20rsDJpXj9HeCZyQxld3S2dpgl2ipenBd+4BhqsdcXaH/rF8mP3xN pA476XSRmKw= =DtgA -----END PGP SIGNATURE-----