__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
VPN-1/FireWall-1 RDP Communication Vulnerability
[Inside Security GmbH 7/10/2001]
July 11, 2001 00:00 GMT Number l-109
______________________________________________________________________________
PROBLEM: Check Point uses a proprietary protocol called RDP (UDP/259)
for some internal communication between software components. In
the default configuration, packets conforming to this protocol
are allowed to pass unchecked through the firewall. These
packets could be used to create a covert channel through the
firewall.
PLATFORM: Check Point VPN-1/FireWall-1
DAMAGE: Packets configured to conform to the RDP specification could be
used to create a covert channel through the firewall.
SOLUTION: Apply Service Pack 4 and install the SP4 hotfix available from
CheckPoint download site
(http://www.checkpoint.com/techsupport/downloads/downloads.html).
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. This vulnerability can only be used to
ASSESSMENT: create a covert channel through the firewall. An intruder must
already have access to both sides of the firewall to setup the
channel.
______________________________________________________________________________
[Start Inside Security GmbH Vulnerability Notification]
FOR PUBLIC RELEASE
------------------------------------------------------------------------
Inside Security GmbH Vulnerability Notification
Revision 1.4 2001-07-10
------------------------------------------------------------------------
The latest version of this document is available at
http://www.inside-security.de/advisories/fw1_rdp.html
-----------------------------------------------
Check Point FireWall-1 RDP Bypass Vulnerability
-----------------------------------------------
Summary:
It is possible to bypass FireWall-1 with faked RDP packets
if the default implied rules are being used.
RDP (Reliable Data Protocol, but not the one specified in RFCs 908/1151,
a Check Point proprietary one) is used by FireWall-1 on top of the
User Datagram Protocol (UDP) to establish encrypted sessions.
FireWall-1 management rules allow arbitrary eitherbound RDP connections
to traverse the firewall. Only the destination port (259) and the RDP
command are verified by FireWall-1. By adding a faked RDP header to normal
UDP traffic any content can be passed to port 259 on any remote host on
either side of the firewall.
Implied rules can't be easily modified or removed (except all together)
with the FireWall-1 policy editor.
Impact:
Given access to hosts on both sides of a firewall a tunnel to bypass
the firewall could be built using this vulnerability. Such access
could be gained with a trojan horse that uses this vulnerability to
connect from the inside back to the machine of the attacker. But also
arbitrary connections from the outside to machines behind the firewall
(even if they are supposedly totally blocked from the in- and outside
by the firewall) can be established, for example to communicate with
infiltrated programs like viruses.
Affected systems:
Check Point VPN-1(TM) & FireWall-1(R) Version 4.1
Releases tested:
Build 41439 [VPN + DES]
Build 41439 [VPN + DES + STRONG]
Build 41716 [VPN + DES + STRONG] (SP2)
Vendor status:
The vulnerability has been reported to Check Point and a fix is
scheduled for today. We want to thank Check Point Software Technologies
for their quick reaction.
Detailed description:
As FireWall-1 rulesets are created they are translated into the INSPECT
language (similar to C) and by default include the file $FWDIR/lib/base.def
which itself includes $FWDIR/lib/crypt.def in line 259. Together they define
protocol names and the so called implied rules (for FireWall-1 management).
In line 62 the macro accept_fw1_rdp is defined to accept any eitherbound
connection that matches the following characteristics:
- Protocol UDP
- Destination port 259 (RDP)
- RDP Command RDPCRYPTCMD (100), RDPCRYPT_RESTARTCMD (101),
RDPUSERCMD (150) or RDPSTATUSCMD (128).
The RDP command types RDPCRYPT = {RDPCRYPTCMD,RDPUSERCMD,RDPSTATUSCMD}
and RDPCRYPT_RESTART = {RDPCRYPT_RESTARTCMD} will permit traversal of
faked RDP packets (regardless of the value of NO_ENCRYPTION_FEATURES,
undefined by default).
Proof of concept code:
Proof of concept code has been submitted to Check Point. We are planning
to make this code publicly available within a few days.
Suggested workarounds:
- Comment line 2646 of base.def ( accept_fw1_rdp; )
- Deactivate implied rules in the Check Point policy editor (and build
your own rules for management connections).
- Block UDP traffic to port 259 on your perimeter router.
Credits:
This vulnerability was found and documented by Jochen Thomas Bauer
<jtb@inside-security.de> and Boris Wesslowski <bw@inside-security.de>
of Inside Security GmbH, Stuttgart, Germany.
------------------------------------------------------------------------
(C) 2001 Inside Security GmbH
This notice may be redistributed freely provided that redistributed copies
are complete and unmodified, and include all date and version information.
ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED
AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL INSIDE SECURITY GMBH BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF
LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION
CONTAINED IN THIS SECURITY BULLETIN, EVEN IF INSIDE SECURITY GMBH HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of applicable
law, void, or unenforceable in any jurisdiction, then such provisions are
waived to the extent necessary for this disclaimer to be otherwise
enforceable in such jurisdiction.
------------------------------------------------------------------------
[End Inside Security GmbH Vulnerability Notification]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Check Point Software
Technologies Ltd. for the information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
L-101: Microsoft LDAP Over SSL Password Vulnerability
L-102: HP OpenView Network Node Manager Security Vulnerability
L-103: Sun ypbind Buffer Overflow Vulnerability
L-104: SuSE Linux, xinetd Buffer Overflow
L-105: Samba Security Vulnerability
L-106: Cisco IOS HTTP Authorization Vulnerability
L-107: Microsoft Authentication Error in SMTP Service
L-108: Oracle 8i TNS Listener Vulnerability
L-110: HP Open View Event Correlation Services Vulnerability
L-111: FreeBSD Signal Handling Flaw
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
