SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point FireWall-1/VPN-1 Lets Authorized Remote Administrators Execute Arbitrary Code on the Management Station
SecurityTracker Alert ID:  1001988
SecurityTracker URL:  http://securitytracker.com/id/1001988
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 13 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1
Description:   Check Point reported a vulnerability in FireWall-1 and VPN-1 that allows a remote authorized administrator to execute arbitrary code on the firewall management station via the management client.

A valid administrator connecting from an authorized management client reportedly can send specially crafted commands to a management station via a control connection that will be executed on the management station.

The vulnerability is reportedly due to improper string formatting.

While the remote user must be an authorized administrator, the remote user does not need write privileges to execute the commands (i.e., they can be a read-only administrator).

Impact:   A remote authorized administrator can cause arbitrary operating system commands to be executed on the management station.
Solution:   The vendor has released a fix and recommends that all customers upgrade to VPN-1/FireWall-1 4.1 Service Pack 4 and install the SP4 hotfix (noting that the hotfix only needs to be applied to management stations, not to firewall modules).
Vendor URL:  www.checkpoint.com/techsupport/alerts/format_strings.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  VPN-1/FireWall-1 Format Strings Vulnerability


--------------ms27B55F88144A9C8082087F68
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,

We stumbled across the following vulnerability alert and did not see
this issue in Bugtraq yet:

http://www.checkpoint.com/techsupport/alerts/format_strings.html


--

July 11, 2001


Summary: 
A security issue exists in VPN-1/FireWall-1 version 4.1 whereby a valid
firewall administrator connecting from an authorized management client
may send malicious data to a management station inside a control
connection, possibly preventing proper operation of the management
station. This issue exists because some instances of improper string
formatting occur in VPN-1/FireWall-1 version 4.1. By sending specially
constructed commands through authorized communication channels,
arbitrary code may be inserted onto the operating system stack of a
VPN-1/FireWall-1 management station. This vulnerability may only be
exploited by an authorized and authenticated VPN-1/FireWall-1
administrator connecting from a workstation explicitly trusted by the
management station, although read/write permission is not required in
order to perform this attack. Since full access (read/write)
administrators and those at the local system console already have direct
access to the firewall system, this is an escalation of privilege only
for read-only administrators. 


Solution:
For all users, upgrade to VPN-1/FireWall-1 4.1 Service Pack 4 and
install the SP4 hotfix. This hotfix only needs to be applied to
management stations, not firewall modules.


Check Point/Nokia Appliances (IPSO) and AIX Note:
Since 4.1 SP3 is the most recent version of VPN-1/FireWall-1 released
for these platforms, the hotfix for these will be released for 4.1 SP3.
Future service packs will incorporate the fix. 


Who is affected: 
All installations of VPN-1/FireWall-1 which allow remote GUI connections
should be assumed vulnerable to this exploit. It should be noted again
that the attack must be made by an authorized and valid VPN-1/FireWall-1
administrator connecting from an authorized GUI client station.

Immediate workaround: 
Restrict remote GUI access for read/only firewall administrators; review
list of administrators and authorized GUI clients.

Changes made in the hotfix: 
Improper string formatting statements have been converted to secure ones
in this hotfix and all future releases. This has no other impact on
firewall operation.

Download information: 
For AIX, HPUX, Linux, Solaris, Windows NT & Windows 2000 select the
following options from the Software Subscription Download Site:

	Product: VPN-1/ FireWall-1 or Provider-1 
	Version: 4.1 
	Operating System: [Appropriate OS] 
	Encryption: [VPN+Des or VPN+Strong] 
	SP/Patch Level: [Appropriate Hotfix] 

For IPSO 3.3 select the following options from the Software Subscription
Download Site:

	Product: Nokia IP Series Appliance 
	Version: 4.1 
	Operating System: IPSO 3.3 
	Encryption: [VPN+Des or VPN+Strong] 
	SP/Patch Level: Format String Hotfix for SP3 (IPSO 3.3 Only) 


Acknowledgement:
This issue has been reported to Check Point by Halvar Flake, senior
reverse engineer of BlackHat Consulting.


-- 
	
	Kevin van der Raad <mailto:k.van.der.raad@itsec.nl>
	
	ITsec Nederland B.V. <http://www.itsec.nl>
	Informatiebeveiliging
	Exploit & Vulnerability Alerting Service
	
	P.O. box 5120
	NL 2000 GC Haarlem
	Tel +31(0)23 542 05 78
	Fax +31(0)23 534 54 77
	
--

ITsec Nederland B.V. may not be held liable for the effects or damages
caused by the direct or indirect use of the information or functionality
provided by this posting, nor the content contained within. Use them at
your own risk. ITsec Nederland B.V. bears no responsibility for misuse
of this posting or any derivatives thereof.
--------------ms27B55F88144A9C8082087F68
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIFbAYJKoZIhvcNAQcCoIIFXTCCBVkCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
A2IwggNeMIICRqADAgECAgEHMA0GCSqGSIb3DQEBBAUAMHMxCzAJBgNVBAYTAk5MMRYwFAYD
VQQIEw1Ob29yZCBIb2xsYW5kMRAwDgYDVQQHEwdIYWFybGVtMR0wGwYDVQQKExRJVHNlYyBO
ZWRlcmxhbmQgQi5WLjEbMBkGA1UEAxMSSVRzZWMgTmVkZXJsYW5kIENBMB4XDTAwMTAwMzEy
MzQ0MloXDTAxMTAwMzEyMzQ0Mlowga0xCzAJBgNVBAYTAk5MMR0wGwYDVQQKExRJVHNlYyBO
ZWRlcmxhbmQgQi5WLjEaMBgGA1UECxMRU2VjdXJpdHkgU2VydmljZXMxFDASBgoJkiaJk/Is
ZAEBEwRrdmRyMSUwIwYDVQQDExxpbmcuIEtldmluIHZhbiBkZXIgUmFhZCBCRW5nMSYwJAYJ
KoZIhvcNAQkBFhdrLnZhbi5kZXIucmFhZEBpdHNlYy5ubDCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAuaJu9OruBfHaVcX1OqpNKZFVMI0Y/SNx+tOsaPxjTaG1DxKnYVwCmtrxE3tQ
725yZg712Yyb4tuf7zRuZJi3Ik/idaUOgxiYg6H/ny7UczzhjbBgRBejt0Uc43jztPIYf01n
q+77UMfrFbGq/Dp9cfSMGpDrDfFyA2MfQED8GbMCAwEAAaNGMEQwEQYJYIZIAYb4QgEBBAQD
AgWgMA4GA1UdDwEB/wQEAwIF4DAfBgNVHSMEGDAWgBR0k+0FcNrqlUKk5dbc+aW5wFJrXDAN
BgkqhkiG9w0BAQQFAAOCAQEANKSoVA0rmIAea3FWlpdDCjAzj8VhWr9DQnmFcufdlPrMR6bj
Ktgn5CnJky9/lskvZva5fOnBSLqqri1HXelBOlf0FPVR+/tZMFPB27Z1aTxeCJSmSrvjqk8o
iY6SRqOf77hEH5/G/Pwbluc+nUpNdhD5z6897SvejH2u312/Sjq6d8dZzqSQ0/8+QcG/t/Vj
BwoZW9z12B2o1E5uDxShcglm3j982dt9uVtZK7v4OjXM0An6Wv5WImms8LldBAHu3kT8clyT
ciKYhgn0uBrfwlu9qP9NhFcmkpdWLC1h43bMstEFgXmOFVPvRyq2K170d2SXq/bZFEZAVY/J
gNPmaTGCAdIwggHOAgEBMHgwczELMAkGA1UEBhMCTkwxFjAUBgNVBAgTDU5vb3JkIEhvbGxh
bmQxEDAOBgNVBAcTB0hhYXJsZW0xHTAbBgNVBAoTFElUc2VjIE5lZGVybGFuZCBCLlYuMRsw
GQYDVQQDExJJVHNlYyBOZWRlcmxhbmQgQ0ECAQcwCQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0B
CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMTA3MTIxMjQxMjRaMCMGCSqGSIb3
DQEJBDEWBBT2zrD7sOy7yEbnRMucYN0JnwXuvjBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3
DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBQDANBggqhkiG9w0D
AgIBKDANBgkqhkiG9w0BAQEFAASBgJ2xvfdIYR4PMLbL+u3gAasMN6VuAPElLdFh+dZ5hhxe
XaFBcC12T3qutMdhfza1yWcVoPx2jTtDMX90H4/r+ycsOBHJorxZGFXEzJddjDvkIXpkXye1
ODdM4MVLuGi+lgLsPJ/vZm4ApXUXYIvDvFLQLzeYoF1OSXe9GkxrOt9H
--------------ms27B55F88144A9C8082087F68--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC