SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point FireWall-1 HTTP Proxy Default Configuration May Allow HTTPS and FTP Traffic to Pass Through the Proxy
SecurityTracker Alert ID:  1005253
SecurityTracker URL:  http://securitytracker.com/id/1005253
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 19 2002
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.1, NG
Description:   A vulnerability was reported in Check Point FireWall-1 when configured in a default manner to allow HTTP traffic while requiring UserAuth. The firewall may incorrectly pass HTTPS and FTP traffic from remote authenticated users through the HTTP proxy.

A remote authenticated user may be able to pass HTTPS and FTP traffic (on port 80) through the firewall even though only HTTP is permitted by the rule set.

If the action is set to 'UserAuth', the traffic is apparently processed by the Security Servers. It is reported that the default for the HTTP Security server (in.ahttpd) is to allow any traffic that is proxied through the server (i.e., HTTP, HTTPS and FTP).

According to the report, when service pack SP6 is installed, the firewall will not allow HTTPS to pass but will still allow FTP to pass using this method.

A similar flaw apparently exists when proxying HTTPS using the HTTP Security server on TCP:443.

Check Point has reportedly assigned the following CR numbers regarding this bug:

CR00073948, for FireWall-1 version 4.1 SP6
CR00073595, for FireWall-1 version NG FP2

Impact:   A remote authenticated user may be able to pass HTTPS and FTP traffic through the firewall via the HTTP proxy when the firewall is only configured to pass HTTP.
Solution:   According to the report, Check Point has developed a Hotfix that disallows client proxy connections to UserAuth-based rules which do not make use of resources by default.

[Editor's note: At the time of this entry, Check Point had not yet publicly released information regarding the Hotfix. When information is released, a follow-up alert will be issued.]

As an alternative, the author of the report indicates that you may use Resources for all UserAuth-based rules, as Resources are not affected by this flawed behavior. This allows the administrator to manually configure the required access and limit access for unwanted methods.

Vendor URL:  www.checkpoint.com/ (Links to External Site)
Cause:   Configuration error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Firewall-1 HTTP Security Server - Proxy vulnerability





Versions affected: Checkpoint FW-1 Version 4.1 and NG (confirmed by 
Checkpoint)
Versions tested: Checkpoint FW-1 Version 4.1 (SP5 and SP6)

Summary:


Source		   Destination	Service	Action	  Track
AllUsers@SomeNet   webserver	http	UserAuth  Long	Allow Auth HTTP
Any		   firewall	Any	drop	  Long	Stealth Rule
Any		   Any		Any	drop	  Long	CleanUp Rule

Configuring the browser to proxy traffic as follows can enable a client 
browser to pass HTTPS and FTP traffic through the FW-1 enforcement point 
(even though only HTTP is allowed by the rule base):

	Type		Proxy Address		Port
	HTTP		firewall		80
	Secure		firewall		80
	FTP		firewall		80

Detail:

When using an action of UserAuth in Firewall-1 (even without using a 
resource), the traffic is handled by the Security Servers, in this case 
the HTTP Security Server (in.ahttpd).

It appears that the default for the HTTP Security server is to allow any 
traffic that is proxied through the server (i.e. HTTP, HTTPS and FTP).

If one specifically uses a URI Resource you are presented with the option 
to choose what Schemes (http, ftp, gopher, mailto, news, wais, Other) and 
Methods (GET, POST, HEAD, PUT, Other) etc you wish to allow.

This option is not available for the HTTP service on its own.

This same issue can be applied to an HTTPS service by following the 
instructions for Authenticating outbound HTTPS (See VPN-1/Firewall-1 
Administration Guide page 504).

This will enable an HTTP Security server on TCP:443. The client proxies 
are then set to Port 443 and the traffic is passed in this way.

When using SP6, the behavior exhibited is slightly improved (due to the 
changes as outlined in the SP6 Release Notes (July 23, 2002). Under Known 

With a default SP6 install, trying to access an HTTPS site via an HTTP 
only rule will fail, with an incorrect error message in the Log File, 
however FTP access still succeeds.

Also, making the change (http_connection_method_tunneling (true) reverts 
the module to the SP5 (and earlier) behavior.

Impact:
Since the issue outlined above requires that a user be authenticated, the 
impact is likely to be small in most cases.

However, certain installations may require that certain users be allowed 

With the current default functionality in FW-1 the expected access 
restrictions are not going to apply.

Solution:

The only solution that comes to mind is to use Resources for ALL UserAuth 
rules and in this way have the ability to manually configure the required 
access and limit access for unwanted methods etc. When using a resource 

This requirement is enforced when running a fixed version from Checkpoint.

Current Status with Vendor:


CR00073948, for FireWall-1 version 4.1 SP6
CR00073595, for FireWall-1 version NG FP2

Checkpoint have developed a Hotfix to resolve this issue. The HotFix 
disallows client proxy connections to UserAuth rules which do not make use 
of resources by default. This behaviour can be overcome by manually 
changing options in the objects.C file.


By: Mark van Gelder.
Date: 18 September 2002


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC