The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SPLAT

computer vulnerability announce 13727

Check Point Threat Emulation: mail not scanned

Synthesis of the vulnerability

Some emails with an attachment are not scanned by the Check Point Threat Emulation blade.
Impacted products: GAiA, CheckPoint IP Appliance, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Creation date: 07/11/2013.
Identifiers: sk96269, VIGILANCE-VUL-13727.

Description of the vulnerability

Some emails with an attachment are not scanned by the Check Point Threat Emulation blade.
Full Vigil@nce bulletin... (Free trial)

vulnerability 13270

Check Point: vulnerabilities of IPMI

Synthesis of the vulnerability

An attacker can use IPMI vulnerabilities in several Check Point products, in order to perform management operations on the hardware.
Impacted products: GAiA, CheckPoint IP Appliance, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint UTM-1 Appliance.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 13/08/2013.
Identifiers: sk94228, VIGILANCE-VUL-13270.

Description of the vulnerability

The IPMI (Intelligent Platform Management Interface) protocol is used to manage the hardware.

Several vulnerabilities were announced in IPMI (VIGILANCE-VUL-13267, VIGILANCE-VUL-13268 and VIGILANCE-VUL-13269). Some of these vulnerabilities impact the hardware of Check Point products.

An attacker can therefore use IPMI vulnerabilities in several Check Point products, in order to perform management operations on the hardware.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2013-3587

SSL, TLS: information disclosure via compression, BREACH

Synthesis of the vulnerability

An attacker can use several SSL/TLS compressed sessions, in order to obtain sensitive information from the server.
Impacted products: GAiA, CheckPoint IP Appliance, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, BIG-IP Hardware, TMOS, Fedora, SSL protocol.
Severity: 1/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 05/08/2013.
Identifiers: CVE-2013-3587, FEDORA-2015-8606, FEDORA-2015-9143, sk93971, SOL14634, VIGILANCE-VUL-13198, VU#987798.

Description of the vulnerability

The bulletin VIGILANCE-VUL-11952 describes a vulnerability of SSL/TLS which uses the SSL/TLS compression. To protect against this vulnerability, SSL/TLS compression was disabled in most web browsers.

However, TLS/SSL servers can also transport data which uses another compression. For example, a web server can compress data it sends to its clients. A variant of the previous attack can thus still be exploited.

An attacker can therefore use several SSL/TLS compressed sessions, in order to obtain sensitive information from the server.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 13191

Check Point R75.40VS: information disclosure via SecureXL

Synthesis of the vulnerability

An attacker can capture SIP/MGCP packets when SecureXL is enabled on Check Point R75.40VS, in order to obtain sensitive information.
Impacted products: GAiA, CheckPoint IP Appliance, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Security Gateway, CheckPoint UTM-1 Appliance, CheckPoint VSX-1.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 02/08/2013.
Identifiers: sk92814, VIGILANCE-VUL-13191.

Description of the vulnerability

The SecureXL technology improves the performance of Check Point firewalls.

However, when it is enabled on R75.40VS, then SIP (Session Initiation Protocol) and MGCP (Media Gateway Control Protocol) packets are not encrypted.

An attacker can therefore capture SIP/MGCP packets when SecureXL is enabled on Check Point R75.40VS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 12981

CheckPoint Security Gateway: information disclosure via VoIP

Synthesis of the vulnerability

When SecureXL is enabled on caller side, an attacker can capture VoIP communications of CheckPoint Security Gateway, in order to obtain sensitive information.
Impacted products: GAiA, CheckPoint Power-1 Appliance, Provider-1, SecurePlatform, CheckPoint Security Gateway, CheckPoint UTM-1 Appliance, CheckPoint VSX-1.
Severity: 2/4.
Consequences: data reading, data flow.
Provenance: internet client.
Creation date: 17/06/2013.
Identifiers: sk92814, VIGILANCE-VUL-12981.

Description of the vulnerability

CheckPoint Security Gateway allow establish VoIP calls thorough a VPN.

The VoIP signaling is exchanged via the SIP protocol. However, when SecureXL is enabled in the VPN end point at caller side, SIP messages are sent in plain text instead of begin encrypted as part of VPN traffic. This allows an attacker located in the public network to capture signaling traffic.

When SecureXL is enabled on caller side, an attacker can therefore capture VoIP communications of CheckPoint Security Gateway, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-3389 CVE-2012-1870

SSL, TLS: obtaining HTTPS Cookies, BEAST

Synthesis of the vulnerability

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can use several SSL sessions in order to compute HTTP headers, such as cookies.
Impacted products: Asterisk Open Source, IPSO, SecurePlatform, CheckPoint Security Gateway, Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, Domino, Mandriva Linux, IIS, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Java OpenJDK, openSUSE, Opera, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Java Oracle, Oracle Web Tier, SSL protocol, RHEL, Sun AS, SUSE Linux Enterprise Desktop, SLES, Nessus.
Severity: 1/4.
Consequences: data reading.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 26/09/2011.
Identifiers: 2588513, 2643584, 2655992, AST-2016-001, BID-49778, BID-54304, c03122753, CERTA-2012-AVI-381, CERTFR-2016-AVI-046, CVE-2004-2770-REJECT, CVE-2011-3389, CVE-2012-1870, DSA-2368-1, DSA-2398-1, DSA-2398-2, FEDORA-2012-5916, FEDORA-2012-5924, FEDORA-2012-9135, FEDORA-2014-13764, FEDORA-2014-13777, HPSBUX02730, javacpuoct2011, MDVSA-2012:058, MDVSA-2012:096, MDVSA-2012:096-1, MDVSA-2012:097, MS12-006, MS12-049, openSUSE-SU-2012:0030-1, openSUSE-SU-2012:0063-1, openSUSE-SU-2012:0199-1, openSUSE-SU-2012:0229-1, openSUSE-SU-2012:0667-1, RHSA-2012:0034-01, RHSA-2013:1455-01, RHSA-2013:1456-01, sk74100, sk86440, SOL13400, SSRT100710, SUSE-SU-2012:0114-1, SUSE-SU-2012:0114-2, SUSE-SU-2012:0122-1, SUSE-SU-2012:0122-2, swg21568229, VIGILANCE-VUL-11014, VU#864643.

Description of the vulnerability

The SSL/TLS protocol supports CBC (Cipher Block Chaining) encryption: a clear block is "XORed" (operation Exclusive OR) with the last encrypted block, and the result is encrypted. This dependence between a block and its previous block was the subject of several theoretical studies since 2002, and led to the definition of TLS 1.1 in 2006, which uses a different algorithm.

The HTTPS "protocol", used by web browsers, encapsulates an HTTP session in a SSL/TLS session. An HTTP query is like:
  GET /abcdefg HTTP/1.0
  Headers (cookies)
  ...
This query is fragmented in blocks of 8 bytes, which are encrypted by CBC. The first block is thus "GET /abc".

An attacker can setup a malicious web site, and invite the victim to connect. This web site can request the victim's web browser to load the page "/abcdefg" of a site secured by SSL/TLS.

The attacker controls the size of the requested url (via "/abcdefg"), so he can place the first byte of headers at the end of a block (the 7 other bytes are known: "P/1.1\r\n"). This blocks follows a block which is fully known ("defg HTT"). The attacker can then capture the encrypted SSL/TLS session, and memorize the last encrypted block. This block is used as an initialization vector to compute an XOR between "defg HTT" (block 2) encrypted, and a guessed character located at the end of "P/1.1\r\n" (block 3). The result is reinjected by the attacker at the end of the HTTP query in clear text. He captures the resulting encrypted block, and if it is the same as the third encrypted block, then the guessed character was correct. The attacker repeats these queries as many times as necessary.

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can therefore use several SSL sessions in order to compute HTTP headers, such as cookies.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-1827

Check Point Endpoint Security On-Demand: code execution via Deployment Agent

Synthesis of the vulnerability

A malicious web site can use the Deployment Agent, in order to execute code on victim's computer.
Impacted products: CheckPoint Endpoint Security, IPSO, SecurePlatform, CheckPoint VSX-1.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 04/05/2011.
Identifiers: BID-47695, CVE-2011-1827, SEC Consult SA-20110810-0, sk62410, VIGILANCE-VUL-10618.

Description of the vulnerability

The following applications can be downloaded from a Security Gateway, in order to provide a SSL VPN On-Demand :
 - SSL Network Extender (SNX)
 - SecureWorkSpace
 - Endpoint Security On-Demand
They are deployed via the Check Point Deployment Agent ActiveX or Java applet.

However, this ActiveX/applet does not correctly check the origin of the deployment. A web site can thus convince the victim to install a malicious application.

A malicious web site can therefore use the Deployment Agent, in order to execute code on victim's computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2008-5161

OpenSSH: information disclosure via CBC

Synthesis of the vulnerability

An attacker capturing an OpenSSH session has a low probability to obtain 32 bits of plain text.
Impacted products: Avaya Ethernet Routing Switch, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Smart-1, CheckPoint UTM-1 Appliance, CheckPoint VSX-1, BIG-IP Hardware, TMOS, AIX, NetBSD, OpenSolaris, OpenSSH, Solaris, RHEL.
Severity: 1/4.
Consequences: data reading.
Provenance: LAN.
Creation date: 18/11/2008.
Revision date: 21/11/2008.
Identifiers: 247186, 6761890, BID-32319, CPNI-957037, CVE-2008-5161, NetBSD-SA2009-005, RHSA-2009:1287-02, sk36343, sol14609, VIGILANCE-VUL-8251, VU#958563.

Description of the vulnerability

The OpenSSH program encrypts data of sessions using a CBC (Cipher Block Chaining) algorithm by default.

If an attacker creates an error in the session,
 - he has one chance over 262144 (2^18) to obtain 32 bits of the unencrypted session
 - he has one chance over 16384 (2^14) to obtain 14 bits of the unencrypted session
This attack interrupts the SSH session, so the victim detects that a problem occurred.

This vulnerability does not impact the CTR (Counter) algorithm.

An attacker capturing an OpenSSH session, and injecting invalid data, thus has a low probability to obtain some bits of plain text.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.