Date: Thu, 12 Jul 2001 14:41:24 +0200
From: "K. van der Raad" <k.van.der.raad@itsec.nl.>
To: [email protected]Subject: VPN-1/FireWall-1 Format Strings Vulnerability
--------------ms27B55F88144A9C8082087F68
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
We stumbled across the following vulnerability alert and did not see
this issue in Bugtraq yet:
http://www.checkpoint.com/techsupport/alerts/format_strings.html
--
July 11, 2001
Summary:
A security issue exists in VPN-1/FireWall-1 version 4.1 whereby a valid
firewall administrator connecting from an authorized management client
may send malicious data to a management station inside a control
connection, possibly preventing proper operation of the management
station. This issue exists because some instances of improper string
formatting occur in VPN-1/FireWall-1 version 4.1. By sending specially
constructed commands through authorized communication channels,
arbitrary code may be inserted onto the operating system stack of a
VPN-1/FireWall-1 management station. This vulnerability may only be
exploited by an authorized and authenticated VPN-1/FireWall-1
administrator connecting from a workstation explicitly trusted by the
management station, although read/write permission is not required in
order to perform this attack. Since full access (read/write)
administrators and those at the local system console already have direct
access to the firewall system, this is an escalation of privilege only
for read-only administrators.
Solution:
For all users, upgrade to VPN-1/FireWall-1 4.1 Service Pack 4 and
install the SP4 hotfix. This hotfix only needs to be applied to
management stations, not firewall modules.
Check Point/Nokia Appliances (IPSO) and AIX Note:
Since 4.1 SP3 is the most recent version of VPN-1/FireWall-1 released
for these platforms, the hotfix for these will be released for 4.1 SP3.
Future service packs will incorporate the fix.
Who is affected:
All installations of VPN-1/FireWall-1 which allow remote GUI connections
should be assumed vulnerable to this exploit. It should be noted again
that the attack must be made by an authorized and valid VPN-1/FireWall-1
administrator connecting from an authorized GUI client station.
Immediate workaround:
Restrict remote GUI access for read/only firewall administrators; review
list of administrators and authorized GUI clients.
Changes made in the hotfix:
Improper string formatting statements have been converted to secure ones
in this hotfix and all future releases. This has no other impact on
firewall operation.
Download information:
For AIX, HPUX, Linux, Solaris, Windows NT & Windows 2000 select the
following options from the Software Subscription Download Site:
Product: VPN-1/ FireWall-1 or Provider-1
Version: 4.1
Operating System: [Appropriate OS]
Encryption: [VPN+Des or VPN+Strong]
SP/Patch Level: [Appropriate Hotfix]
For IPSO 3.3 select the following options from the Software Subscription
Download Site:
Product: Nokia IP Series Appliance
Version: 4.1
Operating System: IPSO 3.3
Encryption: [VPN+Des or VPN+Strong]
SP/Patch Level: Format String Hotfix for SP3 (IPSO 3.3 Only)
Acknowledgement:
This issue has been reported to Check Point by Halvar Flake, senior
reverse engineer of BlackHat Consulting.
--
Kevin van der Raad <mailto:k.van.der.raad@itsec.nl.>
ITsec Nederland B.V. <http://www.itsec.nl>;
Informatiebeveiliging
Exploit & Vulnerability Alerting Service
P.O. box 5120
NL 2000 GC Haarlem
Tel +31(0)23 542 05 78
Fax +31(0)23 534 54 77
--
ITsec Nederland B.V. may not be held liable for the effects or damages
caused by the direct or indirect use of the information or functionality
provided by this posting, nor the content contained within. Use them at
your own risk. ITsec Nederland B.V. bears no responsibility for misuse
of this posting or any derivatives thereof.
--------------ms27B55F88144A9C8082087F68
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIIFbAYJKoZIhvcNAQcCoIIFXTCCBVkCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
A2IwggNeMIICRqADAgECAgEHMA0GCSqGSIb3DQEBBAUAMHMxCzAJBgNVBAYTAk5MMRYwFAYD
VQQIEw1Ob29yZCBIb2xsYW5kMRAwDgYDVQQHEwdIYWFybGVtMR0wGwYDVQQKExRJVHNlYyBO
ZWRlcmxhbmQgQi5WLjEbMBkGA1UEAxMSSVRzZWMgTmVkZXJsYW5kIENBMB4XDTAwMTAwMzEy
MzQ0MloXDTAxMTAwMzEyMzQ0Mlowga0xCzAJBgNVBAYTAk5MMR0wGwYDVQQKExRJVHNlYyBO
ZWRlcmxhbmQgQi5WLjEaMBgGA1UECxMRU2VjdXJpdHkgU2VydmljZXMxFDASBgoJkiaJk/Is
ZAEBEwRrdmRyMSUwIwYDVQQDExxpbmcuIEtldmluIHZhbiBkZXIgUmFhZCBCRW5nMSYwJAYJ
KoZIhvcNAQkBFhdrLnZhbi5kZXIucmFhZEBpdHNlYy5ubDCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAuaJu9OruBfHaVcX1OqpNKZFVMI0Y/SNx+tOsaPxjTaG1DxKnYVwCmtrxE3tQ
725yZg712Yyb4tuf7zRuZJi3Ik/idaUOgxiYg6H/ny7UczzhjbBgRBejt0Uc43jztPIYf01n
q+77UMfrFbGq/Dp9cfSMGpDrDfFyA2MfQED8GbMCAwEAAaNGMEQwEQYJYIZIAYb4QgEBBAQD
AgWgMA4GA1UdDwEB/wQEAwIF4DAfBgNVHSMEGDAWgBR0k+0FcNrqlUKk5dbc+aW5wFJrXDAN
BgkqhkiG9w0BAQQFAAOCAQEANKSoVA0rmIAea3FWlpdDCjAzj8VhWr9DQnmFcufdlPrMR6bj
Ktgn5CnJky9/lskvZva5fOnBSLqqri1HXelBOlf0FPVR+/tZMFPB27Z1aTxeCJSmSrvjqk8o
iY6SRqOf77hEH5/G/Pwbluc+nUpNdhD5z6897SvejH2u312/Sjq6d8dZzqSQ0/8+QcG/t/Vj
BwoZW9z12B2o1E5uDxShcglm3j982dt9uVtZK7v4OjXM0An6Wv5WImms8LldBAHu3kT8clyT
ciKYhgn0uBrfwlu9qP9NhFcmkpdWLC1h43bMstEFgXmOFVPvRyq2K170d2SXq/bZFEZAVY/J
gNPmaTGCAdIwggHOAgEBMHgwczELMAkGA1UEBhMCTkwxFjAUBgNVBAgTDU5vb3JkIEhvbGxh
bmQxEDAOBgNVBAcTB0hhYXJsZW0xHTAbBgNVBAoTFElUc2VjIE5lZGVybGFuZCBCLlYuMRsw
GQYDVQQDExJJVHNlYyBOZWRlcmxhbmQgQ0ECAQcwCQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0B
CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMTA3MTIxMjQxMjRaMCMGCSqGSIb3
DQEJBDEWBBT2zrD7sOy7yEbnRMucYN0JnwXuvjBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3
DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBQDANBggqhkiG9w0D
AgIBKDANBgkqhkiG9w0BAQEFAASBgJ2xvfdIYR4PMLbL+u3gAasMN6VuAPElLdFh+dZ5hhxe
XaFBcC12T3qutMdhfza1yWcVoPx2jTtDMX90H4/r+ycsOBHJorxZGFXEzJddjDvkIXpkXye1
ODdM4MVLuGi+lgLsPJ/vZm4ApXUXYIvDvFLQLzeYoF1OSXe9GkxrOt9H
--------------ms27B55F88144A9C8082087F68--
