SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point FireWall-1/VPN-1 Component Can Be Crashed By Remote Users Sending Syslog Messages in Certain Cases
SecurityTracker Alert ID:  1006355
SecurityTracker URL:  http://securitytracker.com/id/1006355
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Mar 24 2003
Original Entry Date:  Mar 21 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): NG FP3 and NG FP3 HF1
Description:   A denial of service vulnerability was reported in Check Point's FireWall-1/VPN-1 software. If configured to collect syslog messages from other devices, a remote user can cause the SmartTracker logging mechanism to crash.

It is reported that a remote user could send "excessive" amounts of data via a syslog connection to cause the SmartTracker logging mechanism on the target firewall to experience high CPU utilization rates. According to a report by AERAsec, this can cause SmartTracker to crash without notice. The service must be manually restarted to return to normal operations.

The syslog daemon is not enabled by default.

Check Point also reported that escape characters are not filtered from the syslog log files when viewed with the command-line utility. According to the report, they are properly removed when viewed via the GUI.

Check Point credits Dr. Peter Bieringer of AERAsec Network Services and Security GmbH for reporting this flaw.

Impact:   A remote user can cause the firewall's SmartTracker service to crash.
Solution:   Check Point has reportedly fixed the denial of service issue in NG FP3 HF2. For more information on the hot fix, see:

http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html

Check Point also reports that a future release of VPN-1/FireWall-1 will remove the escape characters from syslog log files when viewed via the command line utility.

Versions prior to NG FP3 are reportedly not vulnerable, as they do not include the affected syslog daemon.

Vendor URL:  www.checkpoint.com/techsupport/alerts/syslog.html (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Check Point syslog bug


http://www.checkpoint.com/techsupport/alerts/syslog.html

FireWall-1/VPN-1 security alert:

Check Point issued a security alert warning that a remote user could send "excessive" amounts of
data via a syslog connection to cause the SmartTracker logging mechanism on the target firewall to
experience high CPU utilization rates.  According to a report by AERAsec, this can cause
SmartTracker to crash without notice.  The service must be manually restarted to return to normal
operations.

The syslog daemon is not enabled by default.

Check Point also reported that escape characters are not filtered from the syslog log files when
viewed with the command-line utility.  According to the report, they are properly removed when
viewed via the GUI.


Check Point has reportedly fixed the denial of service issue in NG FP3 HF2.  For more information on
the hot fix, see:

http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html

Check Point also reports that a future release of VPN-1/FireWall-1 will remove the escape characters
from syslog log files when viewed via the command line utility.

Check Point credits Dr. Peter Bieringer of AERAsec Network Services and Security GmbH for reporting
this flaw.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC