Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point FireWall-1/VPN-1 Lets Authorized Remote Administrators Execute Arbitrary Code on the Management Station
SecurityTracker Alert ID:  1001988
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 13 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1
Description:   Check Point reported a vulnerability in FireWall-1 and VPN-1 that allows a remote authorized administrator to execute arbitrary code on the firewall management station via the management client.

A valid administrator connecting from an authorized management client reportedly can send specially crafted commands to a management station via a control connection that will be executed on the management station.

The vulnerability is reportedly due to improper string formatting.

While the remote user must be an authorized administrator, the remote user does not need write privileges to execute the commands (i.e., they can be a read-only administrator).

Impact:   A remote authorized administrator can cause arbitrary operating system commands to be executed on the management station.
Solution:   The vendor has released a fix and recommends that all customers upgrade to VPN-1/FireWall-1 4.1 Service Pack 4 and install the SP4 hotfix (noting that the hotfix only needs to be applied to management stations, not to firewall modules).
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents

Subject:  VPN-1/FireWall-1 Format Strings Vulnerability

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


We stumbled across the following vulnerability alert and did not see
this issue in Bugtraq yet:


July 11, 2001

A security issue exists in VPN-1/FireWall-1 version 4.1 whereby a valid
firewall administrator connecting from an authorized management client
may send malicious data to a management station inside a control
connection, possibly preventing proper operation of the management
station. This issue exists because some instances of improper string
formatting occur in VPN-1/FireWall-1 version 4.1. By sending specially
constructed commands through authorized communication channels,
arbitrary code may be inserted onto the operating system stack of a
VPN-1/FireWall-1 management station. This vulnerability may only be
exploited by an authorized and authenticated VPN-1/FireWall-1
administrator connecting from a workstation explicitly trusted by the
management station, although read/write permission is not required in
order to perform this attack. Since full access (read/write)
administrators and those at the local system console already have direct
access to the firewall system, this is an escalation of privilege only
for read-only administrators. 

For all users, upgrade to VPN-1/FireWall-1 4.1 Service Pack 4 and
install the SP4 hotfix. This hotfix only needs to be applied to
management stations, not firewall modules.

Check Point/Nokia Appliances (IPSO) and AIX Note:
Since 4.1 SP3 is the most recent version of VPN-1/FireWall-1 released
for these platforms, the hotfix for these will be released for 4.1 SP3.
Future service packs will incorporate the fix. 

Who is affected: 
All installations of VPN-1/FireWall-1 which allow remote GUI connections
should be assumed vulnerable to this exploit. It should be noted again
that the attack must be made by an authorized and valid VPN-1/FireWall-1
administrator connecting from an authorized GUI client station.

Immediate workaround: 
Restrict remote GUI access for read/only firewall administrators; review
list of administrators and authorized GUI clients.

Changes made in the hotfix: 
Improper string formatting statements have been converted to secure ones
in this hotfix and all future releases. This has no other impact on
firewall operation.

Download information: 
For AIX, HPUX, Linux, Solaris, Windows NT & Windows 2000 select the
following options from the Software Subscription Download Site:

	Product: VPN-1/ FireWall-1 or Provider-1 
	Version: 4.1 
	Operating System: [Appropriate OS] 
	Encryption: [VPN+Des or VPN+Strong] 
	SP/Patch Level: [Appropriate Hotfix] 

For IPSO 3.3 select the following options from the Software Subscription
Download Site:

	Product: Nokia IP Series Appliance 
	Version: 4.1 
	Operating System: IPSO 3.3 
	Encryption: [VPN+Des or VPN+Strong] 
	SP/Patch Level: Format String Hotfix for SP3 (IPSO 3.3 Only) 

This issue has been reported to Check Point by Halvar Flake, senior
reverse engineer of BlackHat Consulting.

	Kevin van der Raad <>
	ITsec Nederland B.V. <>
	Exploit & Vulnerability Alerting Service
	P.O. box 5120
	NL 2000 GC Haarlem
	Tel +31(0)23 542 05 78
	Fax +31(0)23 534 54 77

ITsec Nederland B.V. may not be held liable for the effects or damages
caused by the direct or indirect use of the information or functionality
provided by this posting, nor the content contained within. Use them at
your own risk. ITsec Nederland B.V. bears no responsibility for misuse
of this posting or any derivatives thereof.
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC