FSC Internet Corp. / SecureXpert Labs

SecureXpert Labs Advisory [SX-20000620-3] - Partial Denial of
Service in Check Point Firewall-1 on Windows NT

Summary

The SMTP Security Server component of Check Point Firewall-1 4.0 and 4.1 is
vulnerable to a simple network-based attack which raises the firewall load to
100%.

Details

Check Point Firewall-1 includes a component called the SMTP Security Server.
This is an SMTP proxy, the use of which is required by several of Firewall-1's
advanced SMTP email processing capabilities, including CVP-based virus
scanning and URI filtering.

The Check Point Firewall-1 SMTP Security Server in Firewall-1 4.0 and 4.1
on Windows NT is vulnerable to a simple network-based attack which can increase
the firewall's CPU utilization to 100%.

Sending a stream of binary zeros over the network to the SMTP port on the firewall
raises the target system's load to 100% while the load on the attacker's
system machine remains relatively low.  This can easily be reproduced from
a Linux system using netcat with an input of /dev/zero, with a command such as
"nc firewall 25 < /dev/zero".

This vulnerability could allow a very quick and easy distributed attack
on Check Point Firewall-1.

Status

Check Point Software Technologies has been informed of this vulnerability, and
has assigned it incident ID# TT44913.  As of June 20, 2000 Check Point
has stated that a fix for this vulnerability will NOT be included in Service
Pack 2 (SP-2) for Check Point firewall-1 4.1, but it will "probably be included
in SP-3".

Credits

Mike Murray, SecureXpert Labs
Max Degtyar, SecureXpert Labs
Richard Reiner, SecureXpert Labs

About SecureXpert DIRECT

SecureXpert DIRECT is an advance security advisory service provided by
SecureXpert Labs.  Subscriptions are free of charge and may be obtained
online at http://www.securexpert.com/services.html.