SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   FireWall-1/VPN-1 Vendors:   Check Point
Check Point FireWall-1 SecuRemote Bug May Disclose Internal IP Addresses to Remote Users
SecurityTracker Alert ID:  1007603
SecurityTracker URL:  http://securitytracker.com/id/1007603
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 2 2003
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.0 and also 4.1 prior to SP5
Description:   A vulnerability was reported in the Check Point FireWall-1 when configured to use SecuRemote. A remote user can determine the IP addresses of the firewall's internal interfaces.

IRM reported that the during initial communications between a SecuRemote client and FireWall-1, the firewall sends an unencrypted packet containing the IP addresses of the firewall. This reportedly includes internal firewall interface addresses. A remote user can monitor the packet stream to determine the firewall's internal addresses, the report said.

As a demonstration exploit, a remote user can connect to the firewall on TCP port 256 and type the following character sequence to cause the firewall to return the IP addresses in binary form:

aa<CR>
aa<CR>

The following notification timeline is provided:

Problem discovered: July 25th 2003
Vendor contacted: July 25th 2003
Advisory published: August 22nd 2003

Impact:   A remote user can determine the firewall's internal IP addresses.
Solution:   The vendor reportedly fixed this flaw in version 4.1 Service Pack 5 (on September 13, 2001). According to the report, the vendor documentation does not reference this flaw.
Vendor URL:  www.checkpoint.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (NT), Windows (2000)
Underlying OS Comments:  Tested on Windows NT and 2000

Message History:   None.


 Source Message Contents

Subject:  IRM 007: The IP addresses of Check Point Firewall-1 internal interfaces may be enumerated using SecuRemote


----------------------------------------------------------------------------
---------------------

IRM Security Advisory No. 007

The IP addresses of Check Point Firewall-1 internal interfaces may be
enumerated using SecuRemote

Vulnerability Type / Importance: Information Leakage / High

Problem discovered: July 25th 2003
Vendor contacted: July 25th 2003
Advisory published: August 22nd 2003

----------------------------------------------------------------------------
---------------------


Abstract:

Check Point FireWall-1 versions 4.0 and 4.1 (prior to SP5) were shipped with
a product called SecuRemote which allows mobile users to connect to an
internal network using an encrypted and authenticated session. During the
initial unencrypted phase of communication between SecuRemote and Firewall-1
a packet is sent containing the all the IP addresses of the firewall,
including those associated with the internal interfaces.



Description:

During various recent penetration tests IRM have established that internal
IP addresses configured on Check Point Firewall-1 devices appear to leak
from TCP ports 256 and 264. 

N.B. This is a completely separate issue from the "unauthenticated topology
download" problem that has been previously discussed.

If a telnet connection is established with TCP port 256 on Firewall-1
Version 4.0 and 4.1 and the following sequence of characters is typed:

aa<CR>
aa<CR>

(where <CR> is a carriage return)

The firewall IP addresses are returned (in binary form)

In addition, when using SecuRemote to connect to a firewall on TCP port 264,
if a packet sniffer is used to capture the data transferred, the IP
addresses can also be viewed as shown below:

15:45:44.029883 192.168.1.1.264 > 10.0.0.1.1038: P 5:21(16) ack 17 win 8744
(DF)
0x0000 4500 0038 a250 4000 6e06 5b5a ca4d b102       E..8.P@.n.[Z.M..
0x0010 5102 42c3 0108 040e 1769 fb25 cdc0 8a36       Q.B......i.%...6
0x0020 5018 2228 fa32 0000 0000 000c 
                                     
                                     c0a8 0101       P."(.2.......M..
0x0030 c0a8 0a01 c0a8 0e01                           ........

c0a8 0101 = 192.168.1.1
c0a8 0a01 = 192.168.10.1
c0a8 0e01 = 192.168.14.1

 
Check Point were contacted and confirmed that it was a known issue that was
fixed in version 4.1 service pack 5, however the details about this
information leakage are not present in the service pack documentation. As
IRM identified this issue during a live penetration test, it was decided
that the information should be publicised so that firewall administrators
could be made aware of it, and the resolution to the problem. A tool
(fwenum) was then produced to demonstrate the technique (available on the
IRM website - http://www.irmplc.com/advisories.htm) 


Tested Versions:

Firewall-1/VPN-1 4.0 - vulnerable
Firewall-1/VPN-1 4.1 - vulnerable pre sp5
Firewall-1/VPN-1 NG  - not vulnerable


Tested Operating Systems:

Microsoft Windows NT4
Microsoft Windows 2000


Vendor & Patch Information:

Check Point were contacted on July 25th and promptly responded explaining
that the issue had been resolved in version 4.1 service pack 5, which was
released on September 13th 2001. Check Point recommends customers to stay
current with the latest service packs and versions, as they contain security
enhancements to both publicised and to other issues.


Workarounds:

TCP Ports 256 and 264 can be filtered if the SecuRemote service is not
required.


Credits:

Research & Advisory: Andy Davis 


Disclaimer:

All information in this advisory is provided on an 'as is' 
basis in the hope that it will be useful. Information Risk Management 
Plc is not responsible for any risks or occurrences caused 
by the application of this information.


----------------------------------------------------------------------------

Information Risk Management Plc.
22 Buckingham Gate 
London 
SW1E 6LB
+44 (0)207 808 6420


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC