Date: 18 August 1999
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-1999.113 -- Check Point Alert
ACK DOS Attack
18 August 1999
===========================================================================
Check Point Software Technologies Ltd has released the following alert
concerning a vulnerability FireWall-1 3.0b and 4.0. The vulnerability lies
in the fact that the mentioned versions of FireWall-1 respond to non-first
TCP packets by matching them against the rule base instead of dropping
them.
This vulnerability may allow users to mount a denial of service attack
against systems running FireWall-1.
- --------------------------BEGIN INCLUDED TEXT--------------------
ACK DOS Attack
Check Point has identified an ACK DOS attack against FireWall-1 3.0b and
4.0. In response, Check Point has developed INSPECT code changes that
provide a solution for this type of attack. This code change enables
Check Point gateways to drop non-first TCP packets instead of matching
the rule base. It should be noted that this INSPECT fix will cause a
change of behavior from the existing Check Point gateway behavior in the
following way: following a reboot, policy unload or stopping the
firewall, all active TCP connections will be blocked, and that any timed
out TCP connections (i.e., connections that have been inactive longer
than the TCP timeout) will be disconnected. The ability for
FireWall-1/VPN-1 to maintain connections after policy reload will not be
affected by this change.
For those with UNMODIFIED $FWDIR/lib/code.def files, you can download
Check Point updated files:
For FireWall-1 3.0b use:
http://www.checkpoint.com/techsupport/alerts/code3.0.def
For FireWall-1 4.0 use:
http://www.checkpoint.com/techsupport/alerts/code4.0.def
Another option is to edit the code.def files as described below.
Check Point 4.0-based Installations
The following INSPECT code (between the two lines starting
with "-----") should be added to the $FWDIR/lib/code.def
file (at the end of the file, just before the #endif statement).
NOTE: if you are managing V3.0 modules, using the 4.0 backwards
compatibility feature, please make the changes to the V3.0 code.def
file (located in $FWDIR/lib30), as described in the "Check Point
3.0-based Installations". After completing the edit, re-install the
security policy. For 4.0-based installations, this code will also
log these events.
----- 4.0 edit follows -----
#ifndef ALLOW_NONFIRST_RULEBASE_MATCH
tcp, first or <conn> in old_connections or
(
#ifndef NO_NONFIRST_RULEBASE_MATCH_LOG
(
<ip_p,src,dst,sport,dport,0> in logged
) or (
record <ip_p,src,dst,sport,dport,0> in logged,
set sr10 12, set sr11 0, set sr12 0, set sr1 0,
log bad_conn
) or 1,
#endif
vanish
);
#endif
----- End of 4.0 insert -----
Check Point 3.0-based Installations:
The following INSPECT code (between the two lines starting
with "-----") should be added to the $FWDIR/lib/code.def
file (at the end of the file, just before the #endif
statement). After completing the edit, re-install the
security policy.
----- 3.0 edit follows -----
#ifndef ALLOW_NONFIRST_RULEBASE_MATCH
tcp, first or <conn> in old_connections or vanish;
#endif
----- End of 3.0 insert -----
Check Point Software Technologies Ltd.
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBN+dv4Ch9+71yA2DNAQHZEwP7BkTIISUQjs0bVcpj8Pys+rtLJn0uf0/e
lihPwOTva58Qzih1M5hfFpZItcLuX8hwn8qnG6I1VOTWjASmoqnv+temOtPUUO9V
DYuh25GOmY+xqaVtkhm4bppqgVJm5HVVZbC6KGIdUG+ZlHvnGZzNq6I7THBNh5Dd
GKahVRPRvDE=
=2TGA
-----END PGP SIGNATURE-----
|