Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Embedded Server/Appliance)  >   Check Point Safe@Office Vendors:   Check Point
Check Point Safe@Office Input Validation Hole Permits Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1018317
SecurityTracker URL:
CVE Reference:   CVE-2007-3462   (Links to External Site)
Updated:  May 6 2008
Original Entry Date:  Jun 27 2007
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): firmware version 7.0.39x
Description:   A vulnerability was reported in Check Point Safe@Office. A remote user can conduct cross-site request forgery attacks.

The management interface does not properly validate user-supplied requests. A remote user can create specially crafted HTML that, when loaded by a target user, will submit arbitrary data to the target site and take actions on the site acting as the target user.

A remote authenticated user can also modify the admin password.

The vendor was notified on June 14, 2007.

Daniel Weber of Calyptix Security discovered this vulnerability.

The original advisory is available at:

Impact:   A remote user can cause arbitrary data to be submitted to the target site to take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (NGX 7.0.45 GA Release).
Vendor URL: (Links to External Site)
Cause:   Authentication error, Input validation error

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Calyptix Security Advisory CX-2007-04 -

Calyptix Security Advisory CX-2007-04
Cross-Site Request Forgery Attack Against Check Point Safe@Office

Date: 06/26/2007

[ Overview ]

Multiple versions of Check Point's Safe@Office UTM device are
vulnerable to cross-site request forgery.  The test firmware was
version 7.0.39x, the latest available for the Safe@Office model.
Cursory testing shows that prior version 5.0.82x was also
vulnerable.  Other Check Point products were not tested.

This vulnerability allows an attacker to run commands on the web
interface if the attacker can get the Check Point user to view a
hostile web page while logged into his Check Point device.  These
actions could include opening up remote access.

As a separate but exacerbating vulnerability, a logged-in user can
change the admin password without knowing the existing password.

Please note that this category of attack exists against many
products from many vendors.  Calyptix Security is in the process of
contacting vendors with confirmed vulnerabilities and expects to be
releasing additional advisories.

[ Risk ]

Calyptix Security has classified this vulnerability as 'Medium Risk'.

This attack requires the attacker to know the URL that is used to
manage the device.  While this could conceivably be hard to guess,
in practice many are given addresses at the start of RFC 1918
address spaces, such as or  The attacker can
try several addresses simultaneously.

Furthermore, if the user has not changed from the default password,
the attacker does not need the user to have explicitly logged into
his Check Point for this attack to succeed.

[ Patch / Fix / Workaround ]

Check Point has released the Safe@Office firmware version Embedded
NGX 7.0.45 GA Release to resolve this issue. The release notes
for this firmware version can be found at:
(Registration required)

Please be aware that many products have this vulnerability.  Even if
you use devices besides Safe@Office, you are advised to follow these
steps to reduce your exposure.

1. Use web management in isolation.  Each browser instance should
    only connect to one device's web interface.  Do not operate
    multiple windows or tabs when managing a device.

    As a suggested approach, you could use Firefox to browse the web
    while using Internet Explorer to manage only your firewall.  You
    could also run your favorite browser inside of a virtual machine.

2. Log out of your web interface when not using it, and configure
    its inactivity timeouts.

3. Update to the latest version of your product's software.  CSRF
    attacks have only recently gained popularity, so any device more
    than a few years old is very likely to be vulnerable to them.

4. Disable JavaScript.  Note that many devices and websites require
    JavaScript to be enabled.  Authorizing sites on a case-by-case
    basis to use JavaScript can significantly reduce this
    vulnerability. (Please note that there may still be ways of
    exploiting this without JavaScript, but they generally involve
    social engineering or a poorly designed web interface.)

5. Operate your web management interface on a non-standard address
    and/or port.  (Please note that this is security through
    obscurity, and although it may protect you from general attacks,
    anyone targeting you will likely be able to figure out the

[ Analysis ]

Many web sites and web products use persistent authentication.
After the user logs in, all future requests are automatically
granted access.  A common way of doing this is to give the browser a
cookie, which it automatically supplies with every request.  The
server checks for the existence of this cookie on all important

A hostile web page can contain an invisible copy of the form that
the firewall's web interface uses to, for example, create a new
user.  The form can be submitted without any action required on the
end user's part.  The browser will make the submission,
automatically including the cookie.  The server sees the cookie and
processes the request as if the end user made it naturally.

There are other methods of persistent authentication besides
cookies; some of these are also vulnerable to CSRF, others are not.

[ Disclosure Timeline ]

06/05/2007 Vulnerability discovered in version 5.0.82x
06/14/2007 Vulnerability confirmed in version 7.0.39x
06/14/2007 Check Point and SofaWare contacted
06/17/2007 Check Point responds, acknowledges, tells us of planned fix
06/26/2007 Check Point releases fix, SofaWare makes announcement
06/26/2007 Calyptix releases advisory

[ Credit ]

Daniel Weber of Calyptix Security discovered and confirmed that this
vulnerability can be exploited.

[ Contact ]

You can contact Calyptix Security about this vulnerability by e-mailing

[ About Calyptix Security ]

Calyptix Security, founded in 2002, is located in Charlotte, North
Carolina.  Our Unified Threat Management (UTM) product, the
AccessEnforcer (TM), is used by customers to protect their network
infrastructure from security threats and is the only security
appliance in the market that deploys DyVax (TM), our patent-pending
signatureless inspection engine. The AccessEnforcer provides our
customers all available gateway security features, including VPN,
Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and
IM management, for a single price with no add-ons and no hidden

[ Legal Notice ]

Calyptix Security grants each recipient of this advisory permission
to redistribute this advisory in electronic or other written medium
without modification.  This advisory may not be modified without the
express written consent of Calyptix Security.  If the recipient
wishes to modify the advisory in any manner or redistribute the
contents of this advisory other than by way of an exact written or
electronic transmission hereof, please email for such permission.

The information in this advisory is believed to be accurate at the
time of publication based upon currently available information. Use
of this information constitutes acceptance for use in an AS IS
condition.  There are no warranties with regard to any information
in this advisory.  None of the author, the publisher nor Calyptix
Security (nor any of their employees, affiliates or agents) accepts
or has any liability for any direct, indirect or consequential loss
or damage arising from the use of, or reliance on, any information
contained in this advisory.

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC