TITLE:
Check Point Firewall-1 NG SmartDefense RFC2397 Bypass Weakness

SECUNIA ADVISORY ID:
SA13792

VERIFY ADVISORY:
http://secunia.com/advisories/13792/

CRITICAL:
Not critical

IMPACT:
Security Bypass

WHERE:
>From remote

SOFTWARE:
Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI)
http://secunia.com/product/2542/

DESCRIPTION:
A weakness has been reported in Check Point Firewall-1 NG with
SmartDefense, which allows malware to bypass detection.

The weakness is caused due to a lack of RFC2397 support. This can be
exploited to bypass the malware detection by sending malicious image
files, which are base64 encoded and embedded in an HTML file
according to the standard specified in RFC2397, which is supported by
a number of client applications capable of rendering HTML files (e.g.
email clients and browsers).

A PoC has been published, which embeds an image that attempts to
exploit the GDI+ JPEG parsing vulnerability in Microsoft Windows.

NOTE: Content inspection software can generally be bypassed in many
ways by obfuscating data and exploit code. However, this advisory
describes lack of compliance with a widely deployed standard for
embedding pictures in HTML files.

This has been reported to affect Check Point Firewall-1 NG R55 HFA08
with SmartDefense 541041226. Other versions may also be vulnerable.

SOLUTION:
Do not rely solely on gateway / perimeter security.

Apply patches to fix vulnerabilities in client software and apply
other defence in depth measures.

PROVIDED AND/OR DISCOVERED BY:
Darren Bounds, Intrusense.

ORIGINAL ADVISORY:
http://www.intrusense.com/av-bypass/image-bypass-advisory.txt

OTHER REFERENCES:
SA12528:
http://secunia.com/advisories/12528/

RFC2397:
http://www.ietf.org/rfc/rfc2397.txt

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------