Vulnerability

    FW-1

Affected

    Check Point Firewall-1 on Windows NT

Description

    Following  is  based  on  a  FSC  Internet  Corp./SecureXpert Labs
    Advisory.   The  SMTP  Security  Server  component  of Check Point
    Firewall-1 4.0  and 4.1  is vulnerable  to a  simple network-based
    attack which raises the firewall load to 100%.

    Check  Point  Firewall-1  includes  a  component  called  the SMTP
    Security Server.   This is  an SMTP  proxy, the  use of  which  is
    required  by   several  of   Firewall-1's  advanced   SMTP   email
    processing capabilities,  including CVP-based  virus scanning  and
    URI filtering.

    The Check Point Firewall-1 SMTP Security Server in Firewall-1  4.0
    and 4.1  on Windows  NT is  vulnerable to  a simple  network-based
    attack which can increase the firewall's CPU utilization to 100%.

    Sending a stream of binary zeros over the network to the SMTP port
    on the  firewall raises  the target  system's load  to 100%  while
    the load on the attacker's system machine remains relatively  low.
    This can  easily be  reproduced from  a Linux  system using netcat
    with an input of /dev/zero, with a command such as

        nc firewall 25 < /dev/zero

    This vulnerability could allow  a very quick and  easy distributed
    attack on Check Point Firewall-1.

Solution

    Check  Point  Software  Technologies  has  been  informed  of this
    vulnerability, and has  assigned it incident  ID# TT44913.   As of
    June  20,  2000  Check  Point  has  stated  that  a  fix  for this
    vulnerability will NOT  be included in  Service Pack 2  (SP-2) for
    Check Point firewall-1 4.1, but  it will "probably be included  in
    SP-3".