AusCERT - ESB-2008.1071 -- [Win][Appliance][Solaris] -- Checkpoint VPN-1 PAT information disclosure

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2008.1071 -- [Win][Appliance][Solaris] -- Checkpoint VPN-1 PAT information disclosure
Date: 07 January 2009
References: AU-2009.0003

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                ESB-2008.1071 -- [Win][Appliance][Solaris]
                Checkpoint VPN-1 PAT information disclosure
                              8 January 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Checkpoint VPN-1
Publisher:            Portcullis Computer Security
Operating System:     Windows
                      Solaris
                      Network Appliance
Impact:               Access Confidential Data
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-5850

Original Bulletin:    http://www.portcullis-security.com/293.php

Comment: Check Point have released a response to this vulnerability. It is 
         available at:
         
         https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk36321

Revision History:     January 8 2009:   Added CVE Reference and a link to 
                                        the vendor's response
                      November 25 2008: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

   Checkpoint VPN-1 PAT information disclosure.

   Portcullis Security Advisory - 08-009

   Vulnerable System:

   Checkpoint VPN-1

   Vulnerability Title:

   Checkpoint VPN-1 PAT information disclosure.

   Vulnerability Discovery And Development:

   Portcullis Security Testing Services.

   Credit For Discovery:

   Tim Brown and Mark Lowe - Portcullis Computer Security Ltd.

   Affected systems:

   All known versions of Checkpoint VPN-1; the vulnerability discovered
   was for version R65.

   Details:

   By sending crafted packets to ports on the Firewall which are mapped
   by port address translation (PAT) to ports on internal devices,
   information about the internal network may be disclosed in the
   resulting ICMP error packets. Port 18264/tcp on the Firewall is
   typically configured in such a manner, with packets to this port being
   re-written to reach the Firewall management server. When the
   time-to-live (TTL) is set low, the Firewall fails to correctly
   sanitise the encapsulated IP headers in ICMP time-to-live exceeded
   packets resulting in the internal IP address being disclosed. For
   example:

   The response was elicited by sending a packet (from 194.0.0.1) to port
   18264/tcp on the Firewall's interface. The TTL was set low, so the
   Firewall could not forward it on.

   14:56:25.169480 IP (tos 0xe0, ttl 255, id 21407, offset 0, flags
   [none], proto: ICMP (1), length: 68) 193.0.0.1 > 194.0.0.1: ICMP time
   exceeded in-transit, length 48

   IP (tos 0x0, ttl 1, id 5120, offset 0, flags [none], proto: TCP (6),
   length: 40) 194.0.0.1.9003 > 10.0.0.99.18264: S, cksum 0x03e6
   (correct), 2834356043:2834356043(0) win 512

   The destination address on the encapsulated IP packet is the address
   of the Firewall management server. Note: This can be exploited whether
   the port is detected as being open or closed by a port scan of the
   Firewall's interface.

   Impact:

   An attacker could use this to determine the internal IP address of the
   Firewall management server.

   Exploit:

   The proof of concept exploit code is available as a NASL plugin for
   OpenVAS.

   Vendor Status:

   11/09/2008 - Vendor informed via email.

   23/09/2008 - Vendor Informed via email.

   24/10/2008 - Vendor informed of publication intention

   Copyright:

   Copyright © Portcullis Computer Security Limited 2008, All rights
   reserved worldwide.

   Permission is hereby granted for the electronic redistribution of this
   information. It is not to be edited or altered in any way without the
   express written consent of Portcullis Computer Security Limited.

   Disclaimer:

   The information herein contained may change without notice. Use of
   this information constitutes acceptance for use in an AS IS condition.
   There are NO warranties, implied or otherwise, with regard to this
   information or its use. Any use of this information is at the user's
   risk. In no event shall the author/distributor (Portcullis Computer
   Security Limited) be held liable for any damages whatsoever arising
   out of or in connection with the use or spread of this information.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSWV72ih9+71yA2DNAQLUpwP9EMaIDT1MSNaKEa97F1pgFc+KQpiQBhar
ZdCxOHiNRbbtlZARnhpXXJ6kVY5XqzJVjrfGt0Bh5YjwW6fcy/3uhERq5eVVTEwy
bHKF5LCrCYp1V/yON/acqmBWVj6jmXdKi+YZ6gB+olDz3XgWbYrDK1K83BjXYYPf
Pfz+DY//GMk=
=W6nW
-----END PGP SIGNATURE-----