what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2004-36A

Technical Cyber Security Alert 2004-36A
Posted Feb 6, 2004
Authored by US-CERT, Jeffrey P. Lanza | Site cert.org

CERT Advisory TA04-036A - Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. This allows the attacker to take control of the firewall, and in some cases, to also control the server it runs on.

tags | advisory, remote, arbitrary
SHA-256 | 185ba52ee2244db8227bfa7c35e8337b0f6af6a360d2b7dd4c77a80b22414736

Technical Cyber Security Alert 2004-36A

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

HTTP Parsing Vulnerabilities in Check Point Firewall-1

Original release date: February 05, 2004
Last revised: --
Source: US-CERT

A complete revision history can be found at the end of this file.

Systems Affected

* Check Point Firewall-1 NG FCS
* Check Point Firewall-1 NG FP1
* Check Point Firewall-1 NG FP2
* Check Point Firewall-1 NG FP3, HF2
* Check Point Firewall-1 NG with Application Intelligence R54
* Check Point Firewall-1 NG with Application Intelligence R55

Overview

Several versions of Check Point Firewall-1 contain a vulnerability that
allows remote attackers to execute arbitrary code with administrative
privileges. This allows the attacker to take control of the firewall,
and in some cases, to also control the server it runs on.

I. Description

The Application Intelligence (AI) component of Check Point Firewall-1
is an application proxy that scans traffic for application layer
attacks once it has passed through the firewall at the network level.
Earlier versions of Firewall-1 include the HTTP Security Server, which
provides similar functionality.

Both the AI and HTTP Security Server features contain an HTTP parsing
vulnerability that is triggered by sending an invalid HTTP request
through the firewall. When Firewall-1 generates an error message in
response to the invalid request, a portion of the input supplied by the
attacker is included in the format string for a call to sprintf().

Researchers at Internet Security Systems have determined that it is
possible to exploit this format string vulnerability to execute
commands on the firewall. The researchers have also determined that
this vulnerability can be exploited as a heap overflow, which would
allow an attacker to execute arbitrary code. In either case, the
commands or code executed by the attacker would run with administrative
privileges, typically "SYSTEM" or "root". For more information, please
see the ISS advisory at:

http://xforce.iss.net/xforce/alerts/id/162

The CERT/CC is tracking this issue as VU#790771. This reference number
corresponds to CVE candidate CAN-2004-0039.

II. Impact

This vulnerability allows remote attackers to execute arbitrary code on
affected firewalls with administrative privileges, typically "SYSTEM"
or "root". Failed attempts to exploit this vulnerability may cause the
firewall to crash.

III. Solution

Apply the patch from Check Point

Check Point has published a "Firewall-1 HTTP Security Server Update"
that modifies the error return strings used when an invalid HTTP
request is detected. For more information, please see the Check Point
bulletin at:

http://www.checkpoint.com/techsupport/alerts/security_server.html

This update prevents attackers from using several known error strings
to exploit this vulnerability. It is unclear at this time whether there
are other attack vectors that may still allow exploitation of the
underlying software defect.

Disable the affected components

Check Point has reported that their products are only affected by this
vulnerability if the HTTP Security Servers feature is enabled.
Therefore, affected sites may be able to limit their exposure to this
vulnerability by disabling HTTP Security Servers or the Application
Intelligence component, as appropriate.
_________________________________________________________________

This vulnerability was discovered and researched by Mark Dowd of ISS
X-Force.
_________________________________________________________________

This document was written by Jeffrey P. Lanza.
_________________________________________________________________

This document is available from:
http://www.us-cert.gov/cas/techalerts/TA04-036A.html
_________________________________________________________________

Copyright 2004 Carnegie Mellon University.

Revision History
Feb 05, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAIsBMXlvNRxAkFWARApI0AKD4vWl9qb4hYtEr+zlkUScaY3PFcwCfRXcG
pglRULK2zVbnACsvG9+BEog=
=6SAE
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close