TUCoPS :: Security App Flaws :: bt972.txt

IRM 007: The IP addresses of Check Point Firewall-1 internal interfaces may be enumerated using SecuRemote


-------------------------------------------------------------------------=
---
---------------------

IRM Security Advisory No. 007

The IP addresses of Check Point Firewall-1 internal interfaces may be
enumerated using SecuRemote

Vulnerability Type / Importance: Information Leakage / High

Problem discovered: July 25th 2003
Vendor contacted: July 25th 2003
Advisory published: August 22nd 2003

-------------------------------------------------------------------------=
---
---------------------


Abstract:

Check Point FireWall-1 versions 4.0 and 4.1 (prior to SP5) were shipped =
with
a product called SecuRemote which allows mobile users to connect to an
internal network using an encrypted and authenticated session. During =
the
initial unencrypted phase of communication between SecuRemote and =
Firewall-1
a packet is sent containing the all the IP addresses of the firewall,
including those associated with the internal interfaces.



Description:

During various recent penetration tests IRM have established that =
internal
IP addresses configured on Check Point Firewall-1 devices appear to leak
from TCP ports 256 and 264.=20

N.B. This is a completely separate issue from the "unauthenticated =
topology
download" problem that has been previously discussed.

If a telnet connection is established with TCP port 256 on Firewall-1
Version 4.0 and 4.1 and the following sequence of characters is typed:

aa<CR>
aa<CR>

(where <CR> is a carriage return)

The firewall IP addresses are returned (in binary form)

In addition, when using SecuRemote to connect to a firewall on TCP port =
264,
if a packet sniffer is used to capture the data transferred, the IP
addresses can also be viewed as shown below:

15:45:44.029883 192.168.1.1.264 > 10.0.0.1.1038: P 5:21(16) ack 17 win =
8744
(DF)
0x0000 4500 0038 a250 4000 6e06 5b5a ca4d b102       E..8.P@.n.[Z.M..
0x0010 5102 42c3 0108 040e 1769 fb25 cdc0 8a36       Q.B......i.%...6
0x0020 5018 2228 fa32 0000 0000 000c=20
                                    =20
                                     c0a8 0101       P."(.2.......M..
0x0030 c0a8 0a01 c0a8 0e01                           ........

c0a8 0101 =3D 192.168.1.1
c0a8 0a01 =3D 192.168.10.1
c0a8 0e01 =3D 192.168.14.1

=20
Check Point were contacted and confirmed that it was a known issue that =
was
fixed in version 4.1 service pack 5, however the details about this
information leakage are not present in the service pack documentation. =
As
IRM identified this issue during a live penetration test, it was decided
that the information should be publicised so that firewall =
administrators
could be made aware of it, and the resolution to the problem. A tool
(fwenum) was then produced to demonstrate the technique (available on =
the
IRM website - http://www.irmplc.com/advisories.htm)=20


Tested Versions:

Firewall-1/VPN-1 4.0 - vulnerable
Firewall-1/VPN-1 4.1 - vulnerable pre sp5
Firewall-1/VPN-1 NG  - not vulnerable


Tested Operating Systems:

Microsoft Windows NT4
Microsoft Windows 2000


Vendor & Patch Information:

Check Point were contacted on July 25th and promptly responded =
explaining
that the issue had been resolved in version 4.1 service pack 5, which =
was
released on September 13th 2001. Check Point recommends customers to =
stay
current with the latest service packs and versions, as they contain =
security
enhancements to both publicised and to other issues.


Workarounds:

TCP Ports 256 and 264 can be filtered if the SecuRemote service is not
required.


Credits:

Research & Advisory: Andy Davis=20


Disclaimer:

All information in this advisory is provided on an 'as is'=20
basis in the hope that it will be useful. Information Risk Management=20
Plc is not responsible for any risks or occurrences caused=20
by the application of this information.


-------------------------------------------------------------------------=
---

Information Risk Management Plc.
22 Buckingham Gate=20
London=20
SW1E 6LB
+44 (0)207 808 6420

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH