The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of CheckPoint Firewall-1

computer vulnerability announce CVE-2010-0102

IDS, IPS: Advanced Evasion Techniques

Synthesis of the vulnerability

Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS.
Impacted products: FW-1, CheckPoint Security Gateway, VPN-1, Cisco IPS, TippingPoint IPS, McAfee NTBA, Snort.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 23.
Creation date: 17/12/2010.
Identifiers: CVE-2010-0102, SBP-2010-31, SBP-2010-32, SBP-2010-33, SBP-2010-34, SBP-2010-35, VIGILANCE-VUL-10227.

Description of the vulnerability

IDS/IPS capture network frames, and analyze their content, in order to detect intrusions attempts. Attackers usually apply variations on these packets, in order to bypass IDS/IPS. Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS. These 23 cases use IPv4, TCP, SMB and MSRPC variations. They are based on methods known since 12 years. Stonesoft named these cases "Advanced Evasion Techniques". They were announced in VIGILANCE-ACTU-2612.

An attacker can send a SMB Write packet with a special "writemode" value, followed by other SMB Write packets to be ignored. [severity:2/4]

An attacker can split SMB Write data in packets containing only one byte, encapsulated in small IPv4/TCP fragments. [severity:2/4]

An attacker can duplicate each IPv4 packet, with additional IPv4 options. [severity:2/4]

An attacker can fragment MSRPC queries into packets containing at most 25 bytes of payload. [severity:2/4]

An attacker can send MSRPC messages where all integers are encoded as Big Endian instead of Little Endian. [severity:2/4]

An attacker can change NDR flags of MSRPC messages. [severity:2/4]

An attacker can create MSRPC fragmented messages in fragmented SMB messages. [severity:2/4]

An attacker can fragment SMB messages in blocks containing one byte of payload. [severity:2/4]

An attacker can fragment SMB messages in blocks containing at most 32 bytes of payload. [severity:2/4]

An attacker can use a SMB filename starting by "unused\..\". [severity:2/4]

An attacker can use overlapping TCP segments. [severity:2/4]

An attacker can send TCP segments in random order. [severity:2/4]

An attacker can fragment TCP data in blocks of one byte. [severity:2/4]

An attacker can use a second TCP session using the same port numbers. [severity:2/4]

An attacker can use a TCP session, where the first byte is sent with the urgent flag. [severity:2/4]

An attacker can send a NetBIOS message, with data similar to an HTTP GET query. [severity:2/4]

An attacker can inject 5 SMB Write inside a SMB Write. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in the reverse order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in random order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent with an initial sequence number near 0xFFFFFFFF. [severity:2/4]

An attacker can send an empty NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can send an invalid NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can use an unknown variation. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2009-1227

Firewall-1: buffer overflow of PKI Web Service

Synthesis of the vulnerability

An attacker can connect to the PKI Web Service of Firewall-1 in order to generate an overflow.
Impacted products: FW-1.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 30/03/2009.
Revision date: 08/04/2009.
Identifiers: BID-34286, CVE-2009-1227, VIGILANCE-VUL-8574.

Description of the vulnerability

The PKI Web Service of Check Point Firewall-1 is a web server to handle keys, and is reachable on port 18264/tcp.

The Authorization header of the HTTP protocol indicates authentication data. The Referer header of the HTTP protocol indicates the previously visited url.

When the PKI Web Service receives long Authorization or Referer headers, a buffer overflow occurs. This overflow may lead to code execution.

The list of vulnerable version is not known. This vulnerability was found in 2006.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 6035

Firewall-1: file reading

Synthesis of the vulnerability

An attacker can connect to the 18264/tcp web server in order to read a file from system.
Impacted products: FW-1.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 25/07/2006.
Identifiers: BID-19136, VIGILANCE-VUL-6035.

Description of the vulnerability

A web server, used for CRL (Certificate Revocation Lists) and User Registration Services, listens on port 18264/tcp (FW1_ica_services).

This web server does not correctly filter characters in uri, which permits an attacker to escape from web root's jail. This vulnerability may only affect Windows platforms.

This vulnerability permits a remote attacker to read file located on computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2005-3666 CVE-2005-3667 CVE-2005-3668

IPSec: vulnerabilities of some ISAKMP protocol implementations

Synthesis of the vulnerability

Several implementations of ISAKMP protocol are affected by the same vulnerabilities.
Impacted products: FW-1, VPN-1, ASA, Cisco Catalyst, IOS by Cisco, Cisco Router, Cisco VPN Concentrator, Debian, Fedora, Tru64 UNIX, HP-UX, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, Mandriva Linux, NETASQ, NetBSD, openSUSE, Openswan, Solaris, RHEL, SEF, SGS, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, denial of service on server, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 14.
Creation date: 14/11/2005.
Revision date: 22/11/2005.
Identifiers: 102040, 102246, 10310, 20060501-01-U, 273756, 273756/NISCC/ISAKMP, 6317027, 6348585, 68158, BID-15401, BID-15402, BID-15416, BID-15420, BID-15474, BID-15479, BID-15516, BID-15523, BID-17030, BID-17902, c00602119, CERTA-2005-AVI-458, CERTA-2005-AVI-504, CQ/68020, CSCed94829, CSCei14171, CSCei15053, CSCei19275, CSCei46258, CSCsb15296, CVE-2005-3666, CVE-2005-3667, CVE-2005-3668, CVE-2005-3669, CVE-2005-3670, CVE-2005-3671, CVE-2005-3672, CVE-2005-3673, CVE-2005-3674, CVE-2005-3675, CVE-2005-3732, CVE-2005-3733, CVE-2005-3768, CVE-2006-2298, DSA-965-1, FEDORA-2005-1092, FEDORA-2005-1093, FLSA:190941, FLSA-2006:190941, HPSBTU02100, HPSBUX02076, MDKSA-2006:020, NetBSD-SA2006-003, NISCC/ISAKMP/273756, PR/61076, PR/61779, PSN-2005-11-007, RHSA-2006:026, RHSA-2006:0267-01, SEF8.0-20051114-00, sk31316, SSRT050979, SUSE-SA:2005:070, SYM05-025, VIGILANCE-VUL-5352, VU#226364.

Description of the vulnerability

The IPSec protocol is used to create VPN. To create an IPSec tunnel, SA (Security Associations: algorithm, key size, etc.) has to be shared between both ends. The SA can be set by administrator, or automatically exchanged. In this later case, IKE protocol (Internet Key Exchange) is used. IKE is based on ISAKMP (and Oakley/Skeme). The ISAKMP protocol (Internet Security Association and Key Management Protocol) defines a generic frame (format and mechanism). ISAKMP uses two phases: setup a secure connection (phase1, main mode or aggressive mode), then this connection is used to exchange one or several SA (phase 2, quick mode). The aggressive mode uses less packets than main mode, and is therefore not recommended.

Several products incorrectly implement phase 1 of ISAKMP/IKEv1 protocol. They contain buffer overflow, format string or denial of service vulnerabilities.

Depending on products, these vulnerabilities lead to code execution or to a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 5184

SecurePlatform NGX: rule bypassing with a CIFS rule

Synthesis of the vulnerability

When a rule contains CIFS service, all sessions from clients are allowed.
Impacted products: FW-1, VPN-1.
Severity: 2/4.
Consequences: data flow.
Provenance: intranet client.
Creation date: 09/09/2005.
Identifiers: BID-14781, VIGILANCE-VUL-5184, VU#508209.

Description of the vulnerability

CIFS service is predefined and is used for SMB/CIFS sessions of Windows shares.

When this service is in a rule, only 137/udp, 138/udp, 139/tcp and 445/tcp ports should be opened. However, every tcp, udp or icmp packet is accepted.

Therefore, source computers specified in this rule are allowed to connect on all services of destination computers.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2004-0230

TCP : déni de service à l'aide de paquet Reset

Synthesis of the vulnerability

En envoyant des paquets contenant le drapeau Reset et en prédisant certaines informations, un attaquant peut interrompre des sessions TCP actives.
Impacted products: FabricOS, Brocade Network Advisor, Brocade vTM, FW-1, VPN-1, ASA, Cisco Cache Engine, Cisco Catalyst, Cisco CSS, IOS by Cisco, Cisco Router, Cisco VPN Concentrator, WebNS, FreeBSD, Tru64 UNIX, AIX, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, NSMXpress, Windows 2000, Windows 2003, Windows 95, Windows 98, Windows ME, Windows XP, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, TCP protocol, Raptor Firewall, SUSE Linux Enterprise Desktop, SLES, SEF, SGS.
Severity: 3/4.
Consequences: denial of service on client.
Provenance: internet client.
Creation date: 21/04/2004.
Revisions dates: 22/04/2004, 23/04/2004, 26/04/2004, 27/04/2004, 28/04/2004, 03/05/2004, 07/05/2004, 11/05/2004, 15/07/2004, 06/12/2004, 24/12/2004, 18/02/2005, 13/04/2005, 03/05/2005, 12/05/2005, 19/07/2005.
Identifiers: 20040403-01-A, 2005.05.02, 236929, 50960, 50961, 58784, 899480, 922819, BID-10183, BSA-2016-005, CERTA-2004-AVI-138, CERTA-2004-AVI-140, CERTA-2004-AVI-143, CERTFR-2014-AVI-308, CERTFR-2017-AVI-034, CERTFR-2017-AVI-044, CERTFR-2017-AVI-054, CERTFR-2017-AVI-131, CISCO20040420a, CISCO20040420b, cisco-sa-20040420-tcp-ios, cisco-sa-20040420-tcp-nonios, CSCed27956, CSCed32349, CVE-2004-0230, FreeBSD-SA-14:19.tcp, HP01077, IY55949, IY55950, IY62006, IY63363, IY63364, IY63365, IY70026, IY70027, IY70028, JSA10638, MS05-019, MS06-064, NetBSD 2004-006, NetBSD-SA2004-006, Netscreen 58784, OpenBSD 34-019, OpenBSD 35-005, PSN-2012-08-686, PSN-2012-08-687, PSN-2012-08-688, PSN-2012-08-689, PSN-2012-08-690, SGI 20040403, SUSE-SU-2017:0333-1, SUSE-SU-2017:0437-1, SUSE-SU-2017:0494-1, SUSE-SU-2017:1102-1, V6-TCPRSTWINDOWDOS, VIGILANCE-VUL-4128, VU#415294.

Description of the vulnerability

L'entête TCP contient un champ window/fenêtre qui correspond à la taille du buffer de réception de la machine ayant émis le paquet. Ainsi si certains paquets arrivent dans le désordre la machine peut les stocker en attente de réception des paquets précédents.

Lorsqu'une connexion TCP est établie, elle peut se terminer de deux manières :
 - les entités s'échangent des paquets contenant le drapeau Fin actif. Dans ce cas, les numéros de séquence (et d'acquittement car le Ack est nécessaire) doivent correspondre exactement.
 - l'une des entités envoie un paquet contenant le drapeau Reset actif. Dans ce cas (drapeau Ack non actif), seul le numéro de séquence doit correspondre approximativement. En effet, il doit se situer dans la fenêtre de réception.

Ainsi, au lieu de deviner un numéro de séquence parmi 2^32 nombres, l'attaquant doit simplement envoyer 2^32/fenêtre paquets Reset. Par exemple si la taille de la fenêtre est 32k, l'attaquant doit envoyer 2^32/32k = 131072 paquets.

Il faut noter que pour mener ce déni de service utilisant un paquet TCP Reset, l'attaquant doit connaître :
 - les adresses IP source et destination
 - les ports source et destination
Certains protocoles comme BGP deviennent alors sensibles car ces informations peuvent être obtenues.

Un attaquant peut ainsi envoyer un paquet TCP contenant le drapeau Reset pour interrompre une session TCP active.

On peut noter que des paquets SYN peuvent aussi être utilisés, mais cette variante est moins efficace à cause des limitations généralement mises en place pour protéger contre les attaques synflood.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2004-0079 CVE-2004-0081 CVE-2004-0112

OpenSSL : dénis de service

Synthesis of the vulnerability

Trois erreurs de OpenSSL permettent à un attaquant de mener un déni de service sur ses applications.
Impacted products: FW-1, VPN-1, ASA, Cisco Catalyst, Cisco CSS, IOS by Cisco, Cisco Router, WebNS, Debian, Fedora, FreeBSD, HP-UX, Mandriva Linux, NetBSD, OpenBSD, OpenSSL, openSUSE, RHEL, RedHat Linux, Slackware, TurboLinux, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 17/03/2004.
Revisions dates: 18/03/2004, 19/03/2004, 22/03/2004, 23/03/2004, 29/03/2004, 30/03/2004, 22/04/2004, 27/04/2004, 07/05/2004, 10/05/2004, 12/07/2004, 03/11/2004, 01/02/2005.
Identifiers: 20041101-01-P, 20051101-01-U, 224012, 58466, BID-9899, CERTA-2004-AVI-095, CERTA-2004-AVI-111, CIAC O-101, CISCO20040317a, Compaq SSRT4717, CVE-2004-0079, CVE-2004-0081, CVE-2004-0112, DSA-465, DSA-465-1, FEDORA-2004-095, FEDORA-2005-077, FEDORA-2005-078, FEDORA-2005-079, FEDORA-2005-1042, FLSA-1395, FLSA:1395, FLSA:166939, FLSA-2005:166939, FreeBSD-SA-04:05, HP01011, HP01019, MDKSA-2004:023, NetBSD 2004-005, NetBSD-SA2004-005, Netscreen 58466, O-101, OpenBSD 33-021, OpenBSD 34-016, RHSA-2004:119, RHSA-2004:120, RHSA-2004:121, RHSA-2005:829, RHSA-2005:829-00, RHSA-2005:830, SGI 20041101, SSA:2004-077-01, SSRT4717, SUSE-SA:2004:007, TLSA-2004-09, TLSA-2004-9, V6-UNIXOPENSSL3DOS, VIGILANCE-VUL-4067, VU#288574, VU#465542, VU#484726.

Description of the vulnerability

La bibliothèque OpenSSL est utilisée par de nombreux produits de sécurité, et contient trois vulnérabilités.

La fonction do_change_cipher_spec utilise un pointeur nul, ce qui provoque l'arrêt du logiciel. Cette erreur peut être mise en oeuvre lors d'un handshake SSL/TLS. Les versions concernées sont :
 - 0.9.6c à 0.9.6k incluse
 - 0.9.7a à 0.9.7c incluse

Lorsque Kerberos est employé, un handshake illicite peut conduire à l'arrêt du logiciel. Les versions concernées sont :
 - 0.9.7a à 0.9.7c incluse

Une boucle infinie peut être créée. Les versions concernées sont :
 - 0.9.? à 0.9.6c incluse

Ces trois vulnérabilités permettent donc de mener un déni de service sur les applications utilisant OpenSSL.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2005-0218

Antivirus : absence de vérification des données intégrées à un uri

Synthesis of the vulnerability

Lorsque les données sont intégrées à un uri, plusieurs antivirus ne les scannent pas.
Impacted products: FW-1, ClamAV, Mandriva Linux, GroupShield, VirusScan, Sophos AV, InterScan VirusWall.
Severity: 2/4.
Consequences: data flow.
Provenance: internet server.
Creation date: 11/01/2005.
Revisions dates: 12/01/2005, 13/01/2005, 17/01/2005.
Identifiers: BID-12269, CVE-2005-0218, MDKSA-2005:025, V6-AVURIDATABYPASS, VIGILANCE-VUL-4636.

Description of the vulnerability

La RFC 2397 définit le schéma "data" permettant d'intégrer les données dans l'uri, généralement encodées en base64. Par exemple :
  data:image/gif;base64,gAARXhpZaZ==

Ainsi, un document HTML peut contenir une image :
  [img src="data:..."]
ou un lien :
  [a href="data:..."]

Les navigateurs Mozilla, Firefox, Safari et Opera supportent cette RFC. Le navigateur Internet Explorer ne l'implémente pas.

Plusieurs antivirus ne supportent pas cette fonctionnalité.

Un attaquant peut donc créer un document HTML contenant un uri illicite. Les données qu'il indique ne seront pas détectées par ces antivirus.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 4484

Absence de filtrage de certains contenus

Synthesis of the vulnerability

Certains contenus web ne sont pas correctement filtrés par les firewalls.
Impacted products: Outpost Firewall, FW-1, ZoneAlarm.
Severity: 2/4.
Consequences: data creation/edition, data flow.
Provenance: internet server.
Creation date: 02/11/2004.
Identifiers: BID-11558, V6-FWWEBNOFILTRE, VIGILANCE-VUL-4484.

Description of the vulnerability

Les firewalls disposent d'options permettant de filtrer le code script situé dans les pages web.

Cependant, en construisant spécialement le document web, cette protection peut être contournée. Par exemple, les cas suivants ne sont pas correctement gérés par certains firewalls :
 - présence du caractère 0x0B (tabulation verticale)
 - présence du caractère 0x00 (terminateur de chaîne C)
 - encodage UTF-7 (Unicode)
 - encodage UTF-16 (Unicode)
 - utilisation de valeurs de Content-Type spéciales
 - utilisation de expression()
 - inclusion de script dans les feuilles de style
 - inclusion de script dans les documents MHT

Un attaquant peut donc créer des documents web contournant les restrictions d'exécution de scripts.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2004-2679

Détection de la version de Firewall-1

Synthesis of the vulnerability

Lorsque le support IPSec est activé, un attaquant distant autorisé à se connecter peut obtenir la version de Firewall-1.
Impacted products: FW-1.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 28/06/2004.
Identifiers: BID-10558, CVE-2004-2679, V6-FW1VPNVENDORIDINFO, VIGILANCE-VUL-4239.

Description of the vulnerability

La négociation des clés cryptographiques nécessaires à l'établissement d'un flux IPSec s'effectue à l'aide du protocole IKE.

Un paquet IKE peut contenir des données de type VendorID indiquant le type du client ou du firewall, afin par exemple de négocier des fonctionnalités propriétaires.

Lorsque Firewall-1 reçoit un paquet IKE:
 - de la part d'un client autorisé à créer une session VPN, et
 - possédant un VendorID de f4ed19e0c114eb516faaac0ee37daf2807b4381f,
il répond alors en indiquant son VendorID suivi d'informations complémentaires. Ces informations contiennent notamment la version du produit ainsi que le niveau de correctifs appliqués.

Cette vulnérabilité permet ainsi à un attaquant d'obtenir des informations dans le but de préparer une intrusion.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.