Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
(CIAC Issues Advisory L-109) Re: Check Point FireWall-1 and VPN-1 Both Pass Unauthorized RDP Packets
SecurityTracker Alert ID:  1001985
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jul 13 2001
Original Entry Date:  Jul 13 2001
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Check Point VPN-1(TM) & FireWall-1(R) Version 4.1; Build 41439 [VPN + DES], Build 41439 [VPN + DES + STRONG], Build 41716 [VPN + DES + STRONG] (SP2) were tested.
Description:   Inside Security reported a vulnerability in Check Point's FireWall-1 and VPN-1 products. The security hole allows any remote user to send RDP packets through the firewall in either direction.

If the product is configured to use the default 'implied rules' (used for firewall management communications), a remote user can create a fake Reliable Data Protocol (RDP) packet and send it through the firewall, in either direction, to any host.

FireWall-1 uses RDP on top of the User Datagram Protocol (UDP) to establish encrypted management sessions. It is reported that only the destination port (259) and the RDP command are verified by FireWall-1. As a result, a remote user can add a fake RDP header to normal UDP traffic to pass any data to port 259 on any remote host on either side of the firewall.

This vulnerability could allow unauthorized tunnels to be set up through the firewall.

The vulnerability is reportedly due to INSPECT code in the macro 'accept_fw1_rdp' that specifies that any UDP packet destined for port 259 and containing the RDPCRYPT command type (e.g., RDPCRYPTCMD,RDPUSERCMD,RDPSTATUSCMD) or the RDPCRYPT_RESTART command type (RDPCRYPT_RESTARTCMD) is permitted to pass though the firewall.

Impact:   A remote user can send data through the firewall without authorization. A tunnel could be set up to pass information through the firewall in either direction.
Solution:   The vendor is scheduling a fix to be released today (July 9, 2001). Some temporary workarounds are provided in the Source Message.
Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 9 2001 Check Point FireWall-1 and VPN-1 Both Pass Unauthorized RDP Packets

 Source Message Contents

Subject:  CIAC BULLETIN L-109 VPN-1/FireWall-1 RDP Communication Vulnerability

[ For Public Release ]


                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

                VPN-1/FireWall-1 RDP Communication Vulnerability
                          [Inside Security GmbH 7/10/2001]

July 11, 2001 00:00 GMT                                           Number l-109
PROBLEM:       Check Point uses a proprietary protocol called RDP (UDP/259) 
               for some internal communication between software components. In 
               the default configuration, packets conforming to this protocol 
               are allowed to pass unchecked through the firewall. These 
               packets could be used to create a covert channel through the 
PLATFORM:      Check Point VPN-1/FireWall-1 
DAMAGE:        Packets configured to conform to the RDP specification could be 
               used to create a covert channel through the firewall. 
SOLUTION:      Apply Service Pack 4 and install the SP4 hotfix available from 
               CheckPoint download site 
VULNERABILITY  The risk is MEDIUM. This vulnerability can only be used to 
ASSESSMENT:    create a covert channel through the firewall. An intruder must 
               already have access to both sides of the firewall to setup the 

[Start Inside Security GmbH Vulnerability Notification]

[End Inside Security GmbH Vulnerability Notification]

Version: 4.0 Business Edition


This message was posted through the FIRST mailing list server.  If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-info" to first-majordomo@FIRST.ORG


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC