exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Check Point Security Management Symlink Vulnerabilities

Check Point Security Management Symlink Vulnerabilities
Posted Aug 16, 2011
Authored by Matthew Flanagan

Check Point Security Management Products suffer from multiple symlink vulnerabilities. Due to the combination of inadequate file checks, predictable file names and writing of temporary configuration files to /tmp it is possible for a unprivileged local user to exploit the post-installation script to overwrite arbitrary files on the security management system through symlink following. The script also contains a second-order symlink vulnerability which makes it possible for an attacker to gain control of the SMS configuration file: $FWDIR/conf/sofaware/SWManagementServer.ini.

tags | advisory, arbitrary, local, vulnerability
advisories | CVE-2011-2664
SHA-256 | 9c9530656dc7486ce3d99175a4a77905ed90e3d797246e746914fe8311174a28

Check Point Security Management Symlink Vulnerabilities

Change Mirror Download
=======================================================================
title: Symlink Following and Second-Order Symlink
Vulnerabilities in Multiple Check Point Security Management Products
product: Check Point Security Management
* Multi-Domain Security Management / Provider-1
* SmartCenter
vulnerable version: multiple products, see sections below
fixed version: multiple products, see sections below
CVE number: CVE-2011-2664
impact: high
homepage: http://www.checkpoint.com
found: 2010-08-13
by: Matthew Flanagan
http://wadofstuff.blogspot.com
=======================================================================

Vendor Product Description
--------------------------

"Security Management and Multi-Domain Security Management (Provider-1) delivers
more security and control by segmenting your security management into multiple
virtual domains. Businesses of all sizes can easily create virtual domains
based on geography, business unit or security function to strengthen security
and simplify management."

URL: http://www.checkpoint.com/products/multi-domain-security-management/index.html

"Check Point UTM-1 Edge appliances deliver proven, best-in-class security right
out of the box! These simple, all-in-one appliances allow branch offices to
deploy comprehensive security quickly and easily. These appliances offer robust
performance, powerful central management and advanced wireless options."

URL: http://www.checkpoint.com/products/utm-1-edge/index.html

Vulnerability Description
-------------------------

A post-installation shell script is executed both in the provisioning of a
Security Management Domain and installation of a standalone SmartCenter. The
script is used to generate a configuration file for use by the SofaWare
Management Server (SMS). The SMS is used to send all configuration changes
performed in the SmartCenter/Management Domain to UTM-1 Edge devices. UTM-1
Edge devices also communicate their status to the SmartCenter/Management
Domain via SMS.

Due to the combination of inadequate file checks, predictable file names and
writing of temporary configuration files to /tmp it is possible for a
unprivileged local user to exploit the post-installation script to overwrite
arbitrary files on the security management system through symlink following.

The script also contains a second-order symlink vulnerability [1]
which makes it
possible for an attacker to gain control of the SMS configuration
file: $FWDIR/conf/sofaware/SWManagementServer.ini. The SWManagementServer.ini
file contains sensitive information and configuration parameters for the
management of UTM-1 Edge firewall appliances such as firmware versions,
mail proxies, logging levels, and many timeout and polling intervals for
various software components running on the Edge devices.

The likelhood of exploiting this vulnerability on a server running SmartCenter
is low due to it only being exploitable during the installation of the software.
However, for Management Domains running on a Multi-Domain Management /
Provider-1 server the likelihood is much higher as the vulnerability can be
exploited every time a new Management Domain is created.

Exploit
-------

An exploit will not be published.

Vulnerable Versions
-------------------

R65.70
R70.40
R71.30
R75.10

On Linux, SecurePlatform and Solaris.

Solution
--------

Fixed in R71.40 and R75.20. Other versions can get fix from Check Point
advisory page:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=syyk63565

Advisories
----------

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=syyk63565

http://wadofstuff.blogspot.com/2011/08/security-advisory-symlink-following-and.html

Vendor Contact Timeline
-----------------------

2010-08-16: Contacted Check Point security team security-alert ()
checkpoint.com.
2010-08-16: Vendor responded.
2010-08-16: Provided vulnerability details and exploit to vendor.
2010-08-18: Vendor confirmation of vulnerability.
2010-08-26: Requested a status update from the vendor.
2010-08-28: Vendor: working on a fix and release plan.
2011-05-31: Requested a status update from the vendor.
2011-06-01: Vendor: Fixed in R75. Advisory to be released on 2011-06-15.
2011-06-06: Advised vendor that R75 GA and R75.10 are still vulnerable.
2011-06-06: Applied for CVE number from MITRE.
2011-06-07 - 2011-06-14: Coordinated fix and advisory release with Check Point.
2011-06-14: Sent more details to MITRE.
2011-06-15: Vendor publishes advisory and fix.
2011-06-16: Contacted AusCERT.
2011-07-06: Asked MITRE for status of CVE number allocation.
2011-07-07: Assigned CVE number by MITRE.
2011-08-16: Released advisory.

References
----------

[1] http://www.securityfocus.com/archive/1/401682
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close