Date: 18 Sep 2002 05:15:47 -0000
From: Mark van Gelder <vgelder@icon.co.za.>
To: [email protected]Subject: Firewall-1 –HTTP Security Server - Proxy vulnerability
Firewall-1 –HTTP Security Server - Proxy vulnerability
Versions affected: Checkpoint FW-1 Version 4.1 and NG (confirmed by
Checkpoint)
Versions tested: Checkpoint FW-1 Version 4.1 (SP5 and SP6)
Summary:
When using an “out the box” installation of FW-1 with a rule base of:
Source Destination Service Action Track
AllUsers@SomeNet webserver http UserAuth Long Allow Auth HTTP
Any firewall Any drop Long Stealth Rule
Any Any Any drop Long CleanUp Rule
Configuring the browser to proxy traffic as follows can enable a client
browser to pass HTTPS and FTP traffic through the FW-1 enforcement point
(even though only HTTP is allowed by the rule base):
Type Proxy Address Port
HTTP firewall 80
Secure firewall 80
FTP firewall 80
Detail:
When using an action of UserAuth in Firewall-1 (even without using a
resource), the traffic is handled by the Security Servers, in this case
the HTTP Security Server (in.ahttpd).
It appears that the default for the HTTP Security server is to allow any
traffic that is proxied through the server (i.e. HTTP, HTTPS and FTP).
If one specifically uses a URI Resource you are presented with the option
to choose what Schemes (http, ftp, gopher, mailto, news, wais, Other) and
Methods (GET, POST, HEAD, PUT, Other) etc you wish to allow.
This option is not available for the HTTP service on its own.
This same issue can be applied to an HTTPS service by following the
instructions for Authenticating outbound HTTPS (See VPN-1/Firewall-1
Administration Guide page 504).
This will enable an HTTP Security server on TCP:443. The client proxies
are then set to Port 443 and the traffic is passed in this way.
When using SP6, the behavior exhibited is slightly improved (due to the
changes as outlined in the SP6 Release Notes (July 23, 2002). Under Known
Limitations point 9, page 4. “The HTTP Security Server handles proxy and
tunneled connection requests differently than earlier FireWall-1 versions…”
With a default SP6 install, trying to access an HTTPS site via an HTTP
only rule will fail, with an incorrect error message in the Log File,
however FTP access still succeeds.
Also, making the change (http_connection_method_tunneling (true) reverts
the module to the SP5 (and earlier) behavior.
Impact:
Since the issue outlined above requires that a user be authenticated, the
impact is likely to be small in most cases.
However, certain installations may require that certain users be allowed
restricted access to certain environments (such as DMZ’s etc).
With the current default functionality in FW-1 the expected access
restrictions are not going to apply.
Solution:
The only solution that comes to mind is to use Resources for ALL UserAuth
rules and in this way have the ability to manually configure the required
access and limit access for unwanted methods etc. When using a resource
this “functionality” is disabled by default. Using
the “Tunneling” “connection Method” in the resource can enable it.
This requirement is enforced when running a fixed version from Checkpoint.
Current Status with Vendor:
Checkpoint have raised the following CR’s:
CR00073948, for FireWall-1 version 4.1 SP6
CR00073595, for FireWall-1 version NG FP2
Checkpoint have developed a Hotfix to resolve this issue. The HotFix
disallows client proxy connections to UserAuth rules which do not make use
of resources by default. This behaviour can be overcome by manually
changing options in the objects.C file.
By: Mark van Gelder.
Date: 18 September 2002
