The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of CheckPoint VPN-1

computer vulnerability alert 12396

Check Point VPN-1 Power VSX: incorrect policy calculation

Synthesis of the vulnerability

The policy computed by Check Point VPN-1 Power VSX allows an attacker to access to a resource, if it was previously used by another user.
Impacted products: VPN-1, CheckPoint VSX-1.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data flow.
Provenance: intranet client.
Creation date: 12/02/2013.
Identifiers: sk92023, VIGILANCE-VUL-12396.

Description of the vulnerability

The policy computed by Check Point VPN-1 Power VSX allows an attacker to access to a resource, if it was previously used by another user.
Full Vigil@nce bulletin... (Free trial)

vulnerability 12090

Check Point Security Gateway: denial of service via SYN Flood

Synthesis of the vulnerability

When the Check Point Security Gateway firewall receives more than 120 000 TCP SYN packets per second, it consumes numerous CPU resources.
Impacted products: CheckPoint Security Gateway, VPN-1.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 24/10/2012.
Identifiers: sk86721, VIGILANCE-VUL-12090.

Description of the vulnerability

The SYN flag of the TCP protocol is used to initialize sessions.

When the Check Point Security Gateway firewall receives more than 120 000 TCP SYN packets per second, it consumes numerous CPU resources.

This denial of service is not caused by a vulnerability, but Check Point offers methods/patches to optimize performances.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 11656

TCP: packets injection via a firewall and a malware

Synthesis of the vulnerability

When an attacker installed an unprivileged malware on a client computer, and when a firewall is located between this client and a TCP server, an attacker who is located on the internet can guess valid sequence numbers, in order to inject data in this TCP session.
Impacted products: CheckPoint Power-1 Appliance, CheckPoint Security Gateway, CheckPoint Smart-1, CheckPoint UTM-1 Appliance, VPN-1, CheckPoint VSX-1, TCP protocol.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 28/05/2012.
Identifiers: FGA-2012-19, sk74640, VIGILANCE-VUL-11656.

Description of the vulnerability

When a privileged malware is installed on victim's computer, it can inject data in his TCP sessions. However, if the malware is not privileged, it cannot do it.

TCP sequence and acknowledgment numbers are used to sort data. An attacker has to guess these numbers (and also IP addresses and ports, but the malware knows them via netstat), in order to inject malicious packets in an active TCP session.

Firewalls usually block TCP packets with a sequence number outside the expected window. However, when this feature is enabled, a remote attacker can send a series of packets:
 - if one of these packets went through the firewall, the malware (which for example reads packets counters, which are not always precise) indicates it to the remote attacker
 - if none of these packets went through, the malware indicates the attacker to send another series
So, after several iterations, the remote attacker guesses which sequence numbers are currently valid.

When an attacker installed an unprivileged malware on a client computer, and when a firewall is located between this client and a TCP server, an attacker who is located on the internet can guess valid sequence numbers, in order to inject data in this TCP session. This vulnerability also works be reversing the client and the server.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 11424

Check Point Firewall VPN-1: obtaining the hostname

Synthesis of the vulnerability

An unauthenticated attacker can send a query to the SecuRemote Topology service, in order to obtain the name of the firewall.
Impacted products: CheckPoint SecuRemote, VPN-1.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 12/03/2012.
Identifiers: sk69360, VIGILANCE-VUL-11424.

Description of the vulnerability

The VPN SecuRemote service of the Check Point firewall listens on port 264/tcp, in order to provide topology information to VPN clients.

An unauthenticated client can connect to this service, and obtains a certificate. However, the Common Name field of this certificate indicates the firewall name and the SmartCenter name.

An unauthenticated attacker can therefore send a query to the SecuRemote Topology service, in order to obtain the name of the firewall.

It can be noted that this information can be seen as public, but it can be used to detect a firewall.
Full Vigil@nce bulletin... (Free trial)

vulnerability 10450

Check Point Endpoint: privilege elevation

Synthesis of the vulnerability

A local attacker can use a vulnerability of Check Point Endpoint Security Client, Endpoint Connect or SSL Network Extender, in order to gain privileges of the Windows system.
Impacted products: VPN-1.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 14/03/2011.
Identifiers: BID-46852, sk60510, VIGILANCE-VUL-10450.

Description of the vulnerability

The products Check Point Endpoint Security Client/VPN, Endpoint Connect and SSL Network Extender can be installed on Windows.

A local attacker can use a vulnerability of these products, in order to gain privileges of the Windows system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-0102

IDS, IPS: Advanced Evasion Techniques

Synthesis of the vulnerability

Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS.
Impacted products: FW-1, CheckPoint Security Gateway, VPN-1, Cisco IPS, TippingPoint IPS, McAfee NTBA, Snort.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 23.
Creation date: 17/12/2010.
Identifiers: CVE-2010-0102, SBP-2010-31, SBP-2010-32, SBP-2010-33, SBP-2010-34, SBP-2010-35, VIGILANCE-VUL-10227.

Description of the vulnerability

IDS/IPS capture network frames, and analyze their content, in order to detect intrusions attempts. Attackers usually apply variations on these packets, in order to bypass IDS/IPS. Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS. These 23 cases use IPv4, TCP, SMB and MSRPC variations. They are based on methods known since 12 years. Stonesoft named these cases "Advanced Evasion Techniques". They were announced in VIGILANCE-ACTU-2612.

An attacker can send a SMB Write packet with a special "writemode" value, followed by other SMB Write packets to be ignored. [severity:2/4]

An attacker can split SMB Write data in packets containing only one byte, encapsulated in small IPv4/TCP fragments. [severity:2/4]

An attacker can duplicate each IPv4 packet, with additional IPv4 options. [severity:2/4]

An attacker can fragment MSRPC queries into packets containing at most 25 bytes of payload. [severity:2/4]

An attacker can send MSRPC messages where all integers are encoded as Big Endian instead of Little Endian. [severity:2/4]

An attacker can change NDR flags of MSRPC messages. [severity:2/4]

An attacker can create MSRPC fragmented messages in fragmented SMB messages. [severity:2/4]

An attacker can fragment SMB messages in blocks containing one byte of payload. [severity:2/4]

An attacker can fragment SMB messages in blocks containing at most 32 bytes of payload. [severity:2/4]

An attacker can use a SMB filename starting by "unused\..\". [severity:2/4]

An attacker can use overlapping TCP segments. [severity:2/4]

An attacker can send TCP segments in random order. [severity:2/4]

An attacker can fragment TCP data in blocks of one byte. [severity:2/4]

An attacker can use a second TCP session using the same port numbers. [severity:2/4]

An attacker can use a TCP session, where the first byte is sent with the urgent flag. [severity:2/4]

An attacker can send a NetBIOS message, with data similar to an HTTP GET query. [severity:2/4]

An attacker can inject 5 SMB Write inside a SMB Write. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in the reverse order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in random order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent with an initial sequence number near 0xFFFFFFFF. [severity:2/4]

An attacker can send an empty NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can send an invalid NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can use an unknown variation. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2008-4609

TCP: denial of service Sockstress

Synthesis of the vulnerability

An attacker can use a small TCP Window, in order to overload a TCP server.
Impacted products: ProxyAV, ProxyRA, ProxySG par Blue Coat, SGOS by Blue Coat, VPN-1, ASA, Cisco Catalyst, IOS by Cisco, Cisco Router, BIG-IP Hardware, TMOS, Linux, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP, NLD, OES, OpenSolaris, openSUSE, Solaris, Trusted Solaris, TCP protocol, StoneGate Firewall, StoneGate IPS, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 01/10/2008.
Revisions dates: 20/10/2008, 09/09/2009.
Identifiers: 109444, 110132, 267088, 6759500, 967723, BID-31545, c01923093, CERTA-2009-ALE-017-003, cisco-sa-20090908-tcp24, cisco-sr-20081017-tcp, cpujul2012, CVE-2008-4609, FICORA #193744, HPSBMI02473, MS09-048, SA34, SA35, SA36, SA37, SA38, SA40, SA41, sk42723, sk42725, SOL10509, SOL7301, SOL9293, SSRT080138, SUSE-SA:2009:047, VIGILANCE-VUL-8139, VU#723308.

Description of the vulnerability

The "window" field of a TCP packet indicates the size of the accepted window (and thus the range) for sequence numbers of incoming packets.

According to the TCP protocol, when the system cannot receive more packets (for example if its buffers are full), it lowers the value of the "window" field. The remote host then has to send data slowly.

An attacker can therefore connect to a listening TCP service, and artificially extend the session duration, in order to overload the remote host.

The attacker can also use a "reverse syn cookies" and the TCP Timestamp option to not have to keep a state on his computer.

An attacker can therefore only use few resources on his computer, and force the usage of a lot of resources on the target. The impact of this temporary denial of service depends on the target system, and is similar to an attacker opening several real TCP sessions (excepted that his computer only uses a few resources). The attacker cannot spoof his IP address to exploit this attack.

There are several attack variants, related to the window size or to a temporary increase of window size. The VIGILANCE-VUL-8844 vulnerability can be seen as a variant.

When the attacker stops sending packets, the denial of service stops. However, some additional implementations errors (such as the Microsoft CVE-2009-1926 vulnerability of VIGILANCE-VUL-9008, or the Cisco Nexus 5000 vulnerabilities described in the solution for Cisco) cause a permanent denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 8844

TCP: denial of service Nkiller2

Synthesis of the vulnerability

An attacker can use TCP Windows with a zero size in order to overload a TCP server.
Impacted products: ProxyAV, ProxyRA, ProxySG par Blue Coat, SGOS by Blue Coat, VPN-1, ASA, Cisco Catalyst, IOS by Cisco, Cisco Router, BIG-IP Hardware, TMOS, Linux, Windows 2000, Windows 2003, Windows 2008 R0, Windows Vista, Windows XP, NLD, OES, OpenSolaris, openSUSE, Solaris, Trusted Solaris, TCP protocol, SLES.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 07/07/2009.
Revision date: 09/09/2009.
Identifiers: 109444, 110132, 267088, 6759500, 967723, CERTA-2009-ALE-017-003, cisco-sa-20090908-tcp24, cisco-sr-20081017-tcp, FICORA #193744, MS09-048, SA34, SA35, SA36, SA37, SA38, SA40, SA41, sk42723, sk42725, SOL10509, SOL7301, SOL9293, SUSE-SA:2009:047, VIGILANCE-VUL-8844.

Description of the vulnerability

The "window" field of a TCP packet indicates the size of the accepted window (and thus the range) for sequence numbers of incoming packets.

According to the TCP protocol, when the system cannot receive more packets (for example if its buffers are full), it uses a value of zero for the "window" field. The remote host then has to wait before sending new data. After a timeout, it tries to reemit. If it does not receive an answer, it closes the session. However, if he receives a late answer, it waits once again.

An attacker can therefore connect to a listening TCP service, and artificially extend the session duration, in order to overload the remote host.

The attacker can also use a "reverse syn cookies" and the TCP Timestamp option to not have to keep a state on his computer.

An attacker can therefore only use few resources on his computer, and force the usage of a lot of resources on the target. The impact of this temporary denial of service depends on the target system, and is similar to an attacker opening several real TCP sessions (excepted that his computer only uses a few resources). The attacker cannot spoof his IP address to exploit this attack.

This attack is efficient against a web server, where the attacker requests a big file and then shorten the window. The web server thus keeps this file in progress.

When the attacker stops sending packets, the denial of service stops.

This vulnerability is similar to VIGILANCE-VUL-8139.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 8427

Nokia IPSO: denial of service via SecureXL and NAT

Synthesis of the vulnerability

When SecureXL is enabled, an accepted and translated packet can stop the firewall.
Impacted products: IPSO, VPN-1.
Severity: 3/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 28/01/2009.
Identifiers: VIGILANCE-VUL-8427.

Description of the vulnerability

The SecureXL feature is used to optimize performances by delegating some operations to the IPSO.

An attacker can stop the firewall in the following case:
 - SecureXL is enabled,
 - the attacker sends a special packet (IP fragment smaller than 20 bytes),
 - this packet matches an allowed rule,
 - this packet matches a translated rule,
 - this packet matches a rule traversing the firewall,

When SecureXL is enabled, an attacker can therefore send a malicious packet to stop the firewall.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2008-5849

Checkpoint VPN-1: obtaining the private IP address

Synthesis of the vulnerability

An attacker can obtain the private IP address of services with a PAT address translation.
Impacted products: VPN-1.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 18/11/2008.
Revision date: 08/01/2009.
Identifiers: BID-32306, CERTA-2009-AVI-004, CVE-2008-5849, sk36321, VIGILANCE-VUL-8255.

Description of the vulnerability

The Checkpoint VPN-1 firewall can be configured to translate some ports (PAT, Port Address Translation) to internal computers with a private IP address. The port 18264/tcp is typically configured with PAT to reach the Firewall Management Server.

The TTL field of an IP packet indicates the number of routers that a packet can cross. This number is decremented on each router. When it reaches zero, an ICMP error message is sent back to the source. This ICMP message contains the beginning of the failed packet.

However, when the TTL reaches zero on the firewall, the returned ICMP packet contains the private IP address instead of the IP address of the firewall.

An attacker can thus obtain the IP address of services translated with PAT.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.