Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
(Check Point Issues Fix) Re: Check Point FireWall-1 and VPN-1 Both Pass Unauthorized RDP Packets
SecurityTracker Alert ID:  1001948
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 9 2001
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Check Point VPN-1(TM) & FireWall-1(R) Version 4.1; Build 41439 [VPN + DES], Build 41439 [VPN + DES + STRONG], Build 41716 [VPN + DES + STRONG] (SP2) were tested.
Description:   Inside Security reported a vulnerability in Check Point's FireWall-1 and VPN-1 products. The security hole allows any remote user to send RDP packets through the firewall in either direction.

If the product is configured to use the default 'implied rules' (used for firewall management communications), a remote user can create a fake Reliable Data Protocol (RDP) packet and send it through the firewall, in either direction, to any host.

FireWall-1 uses RDP on top of the User Datagram Protocol (UDP) to establish encrypted management sessions. It is reported that only the destination port (259) and the RDP command are verified by FireWall-1. As a result, a remote user can add a fake RDP header to normal UDP traffic to pass any data to port 259 on any remote host on either side of the firewall.

This vulnerability could allow unauthorized tunnels to be set up through the firewall.

The vulnerability is reportedly due to INSPECT code in the macro 'accept_fw1_rdp' that specifies that any UDP packet destined for port 259 and containing the RDPCRYPT command type (e.g., RDPCRYPTCMD,RDPUSERCMD,RDPSTATUSCMD) or the RDPCRYPT_RESTART command type (RDPCRYPT_RESTARTCMD) is permitted to pass though the firewall.

Impact:   A remote user can send data through the firewall without authorization. A tunnel could be set up to pass information through the firewall in either direction.
Solution:   The vendor reports that a hotfix is available for immediate download which addresses this issue. Further details are available at:
Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 9 2001 Check Point FireWall-1 and VPN-1 Both Pass Unauthorized RDP Packets

 Source Message Contents

Subject:  Check Point response to RDP Bypass

----- Forwarded message from Scott Walker Register <> -----

From: Scott Walker Register  <>
Subject: Check Point response to RDP Bypass
Date: Mon,  9 Jul 2001 10:33:42 -0500
Message-ID: <Chameleon.994689280.walker@stinky>
X-Mailer: Z-Mail Pro 6.2, NetManage Inc. [ZM62_16E]

Check Point uses a protocol called RDP (UDP/259) for some internal communication between software components (this is not the same
 RDP as IP protocol 27).  By default, VPN-1/FireWall-1 allows RDP packets to traverse firewall gateways in order to simplify encryption
 setup.  Under some conditions, packets with RDP headers could be constructed which would be allowed across a VPN-1/FireWall-1 gateway
 without being explicitly allowed by the rule base.  

A hotfix is available for immediate download which addresses this issue.  Further details are available at

Check Point acknowledges Jochen Bauer and Boris Wesslowski of Inside Security GmbH, Stuttgart, Germany, for this contribution and
 their ethical and forthright cooperation.

----- End forwarded message -----

Elias Levy
Si vis pacem, para bellum


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC