Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
(Additional Details) Re: Check Point FireWall-1 May Disclose Protected Network Topology to Remote Users in Certain Configurations
SecurityTracker Alert ID:  1002055
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 19 2001
Impact:   Disclosure of system information

Version(s): see the alert text below
Description:   A vulnerability has been reported in Check Point FireWall-1 that allows remote users to obtain a network topology of the protected network in certain configurations when SecuRemote is used.

A user provides additional information on how to support FWZ without disclosing the network topology. See the Source Message for details.

Impact:   A remote user can obtain information about the protected network when SecuRemote is enabled and, for versions 4.1SP1 and later, when the "respond to unauthenticated topology requests" option is enabled.
Solution:   Upgrade to 4.1SP1 or later and uncheck the "respond to unauthenticated topology requests" option in the Policy Properties.
Vendor URL: (Links to External Site)
Cause:   Configuration error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 18 2001 Check Point FireWall-1 May Disclose Protected Network Topology to Remote Users in Certain Configurations

 Source Message Contents

Subject:  Re: Firewall-1 Information leak

On Wed, 18 Jul 2001, Haroon Meer wrote:

> Checkpoint Firewall-1 makes use of a piece of software called SecureRemote
> to create encrypted sessions between users and FW-1 modules. Before remote
> users are able to communicate with internal hosts, a network topology of
> the protected network is downloaded to the client. While newer versions of
> the FW-1 software have the ability to restrict these downloads to only
> authenticated sessions, the default setting allows unauthenticated
> requests to be honoured. This gives a potential attacker a wealth of
> information including ip addresses, network masks (and even friendly
> descriptions)

This is a well-known, and generally accepted, risk associated with running
FWZ SecuRemote VPN's to FireWall-1.  As others have already commented, it
is possible to turn off unauthenticated topology downloads through the
policy properties.  If you do this, you will need to manually distribute a
userc.C file (containing the topology information) to all of your
secuRemote users.  This file should be loaded into the
c:\winnt\fw\database directory on the client.

>From start to finish, the procedure should go something like this:

1. Set up you firewall gateway for VPN, with the "Respond to
unauthenticated topology requests" enabled.

2. Set up a sample secuRemote client, and download the site topology.

3. Turn off "Respond to unauthenticated topology requests".

4. Securely distribute the file userc.C from the sample client to all
secuRemote users.

You will need to send out an updated userc.C any time there is a change to
the encryption domain or keying info.

Dave Taylor


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC