Date: Tue, 2 Sep 2003 11:25:33 +0100
From: IRM Advisories <advisories@irmplc.com.>
To: [email protected]Subject: IRM 007: The IP addresses of Check Point Firewall-1 internal interfaces may be enumerated using SecuRemote
-------------------------------------------------------------------------=
---
---------------------
IRM Security Advisory No. 007
The IP addresses of Check Point Firewall-1 internal interfaces may be
enumerated using SecuRemote
Vulnerability Type / Importance: Information Leakage / High
Problem discovered: July 25th 2003
Vendor contacted: July 25th 2003
Advisory published: August 22nd 2003
-------------------------------------------------------------------------=
---
---------------------
Abstract:
Check Point FireWall-1 versions 4.0 and 4.1 (prior to SP5) were shipped =
with
a product called SecuRemote which allows mobile users to connect to an
internal network using an encrypted and authenticated session. During =
the
initial unencrypted phase of communication between SecuRemote and =
Firewall-1
a packet is sent containing the all the IP addresses of the firewall,
including those associated with the internal interfaces.
Description:
During various recent penetration tests IRM have established that =
internal
IP addresses configured on Check Point Firewall-1 devices appear to leak
from TCP ports 256 and 264.=20
N.B. This is a completely separate issue from the "unauthenticated =
topology
download" problem that has been previously discussed.
If a telnet connection is established with TCP port 256 on Firewall-1
Version 4.0 and 4.1 and the following sequence of characters is typed:
aa<CR>
aa<CR>
(where <CR> is a carriage return)
The firewall IP addresses are returned (in binary form)
In addition, when using SecuRemote to connect to a firewall on TCP port =
264,
if a packet sniffer is used to capture the data transferred, the IP
addresses can also be viewed as shown below:
15:45:44.029883 192.168.1.1.264 > 10.0.0.1.1038: P 5:21(16) ack 17 win =
8744
(DF)
0x0000 4500 0038 a250 4000 6e06 5b5a ca4d b102 [email protected].[Z.M..
0x0010 5102 42c3 0108 040e 1769 fb25 cdc0 8a36 Q.B......i.%...6
0x0020 5018 2228 fa32 0000 0000 000c=20
=20
c0a8 0101 P."(.2.......M..
0x0030 c0a8 0a01 c0a8 0e01 ........
c0a8 0101 =3D 192.168.1.1
c0a8 0a01 =3D 192.168.10.1
c0a8 0e01 =3D 192.168.14.1
=20
Check Point were contacted and confirmed that it was a known issue that =
was
fixed in version 4.1 service pack 5, however the details about this
information leakage are not present in the service pack documentation. =
As
IRM identified this issue during a live penetration test, it was decided
that the information should be publicised so that firewall =
administrators
could be made aware of it, and the resolution to the problem. A tool
(fwenum) was then produced to demonstrate the technique (available on =
the
IRM website - http://www.irmplc.com/advisories.htm)=20
Tested Versions:
Firewall-1/VPN-1 4.0 - vulnerable
Firewall-1/VPN-1 4.1 - vulnerable pre sp5
Firewall-1/VPN-1 NG - not vulnerable
Tested Operating Systems:
Microsoft Windows NT4
Microsoft Windows 2000
Vendor & Patch Information:
Check Point were contacted on July 25th and promptly responded =
explaining
that the issue had been resolved in version 4.1 service pack 5, which =
was
released on September 13th 2001. Check Point recommends customers to =
stay
current with the latest service packs and versions, as they contain =
security
enhancements to both publicised and to other issues.
Workarounds:
TCP Ports 256 and 264 can be filtered if the SecuRemote service is not
required.
Credits:
Research & Advisory: Andy Davis=20
Disclaimer:
All information in this advisory is provided on an 'as is'=20
basis in the hope that it will be useful. Information Risk Management=20
Plc is not responsible for any risks or occurrences caused=20
by the application of this information.
-------------------------------------------------------------------------=
---
Information Risk Management Plc.
22 Buckingham Gate=20
London=20
SW1E 6LB
+44 (0)207 808 6420
