Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (VPN)  >   FireWall-1/VPN-1 Vendors:   Check Point
(Check Point Issues Fix for VPN-1) Various TCP Stack Implementations Let Remote Users Deny Service
SecurityTracker Alert ID:  1022851
SecurityTracker URL:
CVE Reference:   CVE-2008-4609   (Links to External Site)
Date:  Sep 8 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): R60, R62, R65, R70.1
Description:   Several vulnerabilities were reported in various TCP stack implementations. A remote user can cause denial of service conditions. Multiple vendors and products are affected. Check Point VPN-1 is affected.

A remote user can send specially crafted data to cause denial of service conditions on the target TCP connection queue.

Published reports indicate that a TCP connection must be established with the target system to exploit these vulnerabilities and that the vulnerabilities are based on weaknesses in the TCP protocol.

Robert E. Lee and Jack Louis of Outpost24 reported these vulnerabilities.

The vulnerabilities were publicly referenced in August 2008 in a blog posting:

CERT-FI is coordinating with affected vendors.

The CERT-FI advisory is available at:

[Editor's note: This Alert is a placeholder to document the overall vendor community investigation of these vulnerabilities. As vendors and researchers confirm which specific products are affected, separate Alerts will be issued for each affected product.]

Impact:   A remote user can cause denial of service conditions.
Solution:   Check Point has developed the following hotfixes, to be available from Check Point Technical Services:

* VPN-1 Power/UTM
- HotFix for R70.1
- HotFix for NGX R65 HFA_50
- HotFix for NGX R62 HFA_01
- HotFix for NGX R60 HFA_07

* VPN-1 Power VSX
- HotFix for NGX R65 (SecurePlatform, IPSO)
- VSX-1

The Check Point advisory is available at:

Vendor URL: (Links to External Site)
Cause:   State error

Message History:   This archive entry is a follow-up to the message listed below.
Oct 17 2008 Various TCP Stack Implementations Let Remote Users Deny Service

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC