The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Check Point UTM-1 Appliance

vulnerability 13270

Check Point: vulnerabilities of IPMI

Synthesis of the vulnerability

An attacker can use IPMI vulnerabilities in several Check Point products, in order to perform management operations on the hardware.
Impacted products: GAiA, CheckPoint IP Appliance, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint UTM-1 Appliance.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 13/08/2013.
Identifiers: sk94228, VIGILANCE-VUL-13270.

Description of the vulnerability

The IPMI (Intelligent Platform Management Interface) protocol is used to manage the hardware.

Several vulnerabilities were announced in IPMI (VIGILANCE-VUL-13267, VIGILANCE-VUL-13268 and VIGILANCE-VUL-13269). Some of these vulnerabilities impact the hardware of Check Point products.

An attacker can therefore use IPMI vulnerabilities in several Check Point products, in order to perform management operations on the hardware.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 13191

Check Point R75.40VS: information disclosure via SecureXL

Synthesis of the vulnerability

An attacker can capture SIP/MGCP packets when SecureXL is enabled on Check Point R75.40VS, in order to obtain sensitive information.
Impacted products: GAiA, CheckPoint IP Appliance, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Security Gateway, CheckPoint UTM-1 Appliance, CheckPoint VSX-1.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 02/08/2013.
Identifiers: sk92814, VIGILANCE-VUL-13191.

Description of the vulnerability

The SecureXL technology improves the performance of Check Point firewalls.

However, when it is enabled on R75.40VS, then SIP (Session Initiation Protocol) and MGCP (Media Gateway Control Protocol) packets are not encrypted.

An attacker can therefore capture SIP/MGCP packets when SecureXL is enabled on Check Point R75.40VS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 12981

CheckPoint Security Gateway: information disclosure via VoIP

Synthesis of the vulnerability

When SecureXL is enabled on caller side, an attacker can capture VoIP communications of CheckPoint Security Gateway, in order to obtain sensitive information.
Impacted products: GAiA, CheckPoint Power-1 Appliance, Provider-1, SecurePlatform, CheckPoint Security Gateway, CheckPoint UTM-1 Appliance, CheckPoint VSX-1.
Severity: 2/4.
Consequences: data reading, data flow.
Provenance: internet client.
Creation date: 17/06/2013.
Identifiers: sk92814, VIGILANCE-VUL-12981.

Description of the vulnerability

CheckPoint Security Gateway allow establish VoIP calls thorough a VPN.

The VoIP signaling is exchanged via the SIP protocol. However, when SecureXL is enabled in the VPN end point at caller side, SIP messages are sent in plain text instead of begin encrypted as part of VPN traffic. This allows an attacker located in the public network to capture signaling traffic.

When SecureXL is enabled on caller side, an attacker can therefore capture VoIP communications of CheckPoint Security Gateway, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 12884

Check Point VSX Virtual System: no policy

Synthesis of the vulnerability

When Check Point VSX Virtual System R75.40VS/R76 (VSX mode) is restarted, the security policy may be not applied.
Impacted products: GAiA, CheckPoint IP Appliance, CheckPoint Power-1 Appliance, CheckPoint Security Gateway, CheckPoint UTM-1 Appliance, CheckPoint VSX-1.
Severity: 3/4.
Consequences: data flow.
Provenance: internet client.
Creation date: 30/05/2013.
Identifiers: sk92812, VIGILANCE-VUL-12884.

Description of the vulnerability

When Check Point VSX Virtual System R75.40VS/R76 (VSX mode) is restarted, the security policy may be not applied.



An attacker can then access to the resources, or be blocked.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 11064

Check Point UTM-1: vulnerabilities of WebUI

Synthesis of the vulnerability

An attacker can use several vulnerabilities of the WebUI interface of UTM-1 Edge and Safe@Office.
Impacted products: CheckPoint UTM-1 Appliance, ZoneAlarm.
Severity: 2/4.
Consequences: client access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 17/10/2011.
Revision date: 02/11/2012.
Identifiers: BID-50189, PR11-07, sk65460, VIGILANCE-VUL-11064.

Description of the vulnerability

The WebUI interface of Check Point UTM-1 Edge and Safe@Office are used to administer the appliance. Several vulnerabilities were announced in WebUI.

An attacker can generate several Cross Site Scripting. [severity:2/4]

An attacker can generate several Cross Site Request Forgery. [severity:2/4]

An attacker can generate a web redirect. [severity:1/4]

An unauthenticated attacker can obtain information. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 11656

TCP: packets injection via a firewall and a malware

Synthesis of the vulnerability

When an attacker installed an unprivileged malware on a client computer, and when a firewall is located between this client and a TCP server, an attacker who is located on the internet can guess valid sequence numbers, in order to inject data in this TCP session.
Impacted products: CheckPoint Power-1 Appliance, CheckPoint Security Gateway, CheckPoint Smart-1, CheckPoint UTM-1 Appliance, VPN-1, CheckPoint VSX-1, TCP protocol.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 28/05/2012.
Identifiers: FGA-2012-19, sk74640, VIGILANCE-VUL-11656.

Description of the vulnerability

When a privileged malware is installed on victim's computer, it can inject data in his TCP sessions. However, if the malware is not privileged, it cannot do it.

TCP sequence and acknowledgment numbers are used to sort data. An attacker has to guess these numbers (and also IP addresses and ports, but the malware knows them via netstat), in order to inject malicious packets in an active TCP session.

Firewalls usually block TCP packets with a sequence number outside the expected window. However, when this feature is enabled, a remote attacker can send a series of packets:
 - if one of these packets went through the firewall, the malware (which for example reads packets counters, which are not always precise) indicates it to the remote attacker
 - if none of these packets went through, the malware indicates the attacker to send another series
So, after several iterations, the remote attacker guesses which sequence numbers are currently valid.

When an attacker installed an unprivileged malware on a client computer, and when a firewall is located between this client and a TCP server, an attacker who is located on the internet can guess valid sequence numbers, in order to inject data in this TCP session. This vulnerability also works be reversing the client and the server.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2008-5161

OpenSSH: information disclosure via CBC

Synthesis of the vulnerability

An attacker capturing an OpenSSH session has a low probability to obtain 32 bits of plain text.
Impacted products: Avaya Ethernet Routing Switch, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Smart-1, CheckPoint UTM-1 Appliance, CheckPoint VSX-1, BIG-IP Hardware, TMOS, AIX, NetBSD, OpenSolaris, OpenSSH, Solaris, RHEL.
Severity: 1/4.
Consequences: data reading.
Provenance: LAN.
Creation date: 18/11/2008.
Revision date: 21/11/2008.
Identifiers: 247186, 6761890, BID-32319, CPNI-957037, CVE-2008-5161, NetBSD-SA2009-005, RHSA-2009:1287-02, sk36343, sol14609, VIGILANCE-VUL-8251, VU#958563.

Description of the vulnerability

The OpenSSH program encrypts data of sessions using a CBC (Cipher Block Chaining) algorithm by default.

If an attacker creates an error in the session,
 - he has one chance over 262144 (2^18) to obtain 32 bits of the unencrypted session
 - he has one chance over 16384 (2^14) to obtain 14 bits of the unencrypted session
This attack interrupts the SSH session, so the victim detects that a problem occurred.

This vulnerability does not impact the CTR (Counter) algorithm.

An attacker capturing an OpenSSH session, and injecting invalid data, thus has a low probability to obtain some bits of plain text.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.