Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: K. van der Raad (k.van.der.raaditsec.nl)
Date: Thu Jul 12 2001 - 07:41:24 CDT
We stumbled across the following vulnerability alert and did not see
this issue in Bugtraq yet:
July 11, 2001
Summary: A security issue exists in VPN-1/FireWall-1 version 4.1 whereby a valid firewall administrator connecting from an authorized management client may send malicious data to a management station inside a control connection, possibly preventing proper operation of the management station. This issue exists because some instances of improper string formatting occur in VPN-1/FireWall-1 version 4.1. By sending specially constructed commands through authorized communication channels, arbitrary code may be inserted onto the operating system stack of a VPN-1/FireWall-1 management station. This vulnerability may only be exploited by an authorized and authenticated VPN-1/FireWall-1 administrator connecting from a workstation explicitly trusted by the management station, although read/write permission is not required in order to perform this attack. Since full access (read/write) administrators and those at the local system console already have direct access to the firewall system, this is an escalation of privilege only for read-only administrators.
Solution: For all users, upgrade to VPN-1/FireWall-1 4.1 Service Pack 4 and install the SP4 hotfix. This hotfix only needs to be applied to management stations, not firewall modules.
Check Point/Nokia Appliances (IPSO) and AIX Note: Since 4.1 SP3 is the most recent version of VPN-1/FireWall-1 released for these platforms, the hotfix for these will be released for 4.1 SP3. Future service packs will incorporate the fix.
Who is affected: All installations of VPN-1/FireWall-1 which allow remote GUI connections should be assumed vulnerable to this exploit. It should be noted again that the attack must be made by an authorized and valid VPN-1/FireWall-1 administrator connecting from an authorized GUI client station.
Immediate workaround: Restrict remote GUI access for read/only firewall administrators; review list of administrators and authorized GUI clients.
Changes made in the hotfix: Improper string formatting statements have been converted to secure ones in this hotfix and all future releases. This has no other impact on firewall operation.
Download information: For AIX, HPUX, Linux, Solaris, Windows NT & Windows 2000 select the following options from the Software Subscription Download Site:
Product: VPN-1/ FireWall-1 or Provider-1 Version: 4.1 Operating System: [Appropriate OS] Encryption: [VPN+Des or VPN+Strong] SP/Patch Level: [Appropriate Hotfix]
For IPSO 3.3 select the following options from the Software Subscription Download Site:
Product: Nokia IP Series Appliance Version: 4.1 Operating System: IPSO 3.3 Encryption: [VPN+Des or VPN+Strong] SP/Patch Level: Format String Hotfix for SP3 (IPSO 3.3 Only)
Acknowledgement: This issue has been reported to Check Point by Halvar Flake, senior reverse engineer of BlackHat Consulting.
-- Kevin van der Raad <mailto:k.van.der.raaditsec.nl> ITsec Nederland B.V. <http://www.itsec.nl> Informatiebeveiliging Exploit & Vulnerability Alerting Service P.O. box 5120 NL 2000 GC Haarlem Tel +31(0)23 542 05 78 Fax +31(0)23 534 54 77 --
ITsec Nederland B.V. may not be held liable for the effects or damages caused by the direct or indirect use of the information or functionality provided by this posting, nor the content contained within. Use them at your own risk. ITsec Nederland B.V. bears no responsibility for misuse of this posting or any derivatives thereof.
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature