The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SPLAT

cybersecurity bulletin 14384

Check Point Security Gateway: HTTP evasion

Synthesis of the vulnerability

An attacker can flow malicious HTTP data through the Check Point Security Gateway, in order to bypass security features.
Severity: 2/4.
Creation date: 10/03/2014.
Identifiers: sk98814, VIGILANCE-VUL-14384.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Check Point Security Gateway product analyses HTTP streams in the following blades:
 - IPS
 - Application Control
 - URL Filtering
 - Anti-Virus
 - Anti-Bot
 - Threat Emulation

However, an attacker can alter the HTTP traffic, so it is not detected as malicious by the Check Point HTTP parser.

An attacker can therefore flow malicious HTTP data through the Check Point Security Gateway, in order to bypass security features.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2014-1673

Check Point Session Authentication Agent: authentication disclosure

Synthesis of the vulnerability

An attacker can spoof the Security Gateway, in order to force the Check Point Session Authentication Agent to send user credentials.
Severity: 2/4.
Creation date: 22/01/2014.
Revision date: 28/01/2014.
Identifiers: CVE-2014-1673, sk98263, VIGILANCE-VUL-14114.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Check Point Session Authentication Agent product is used to authenticate users on the Security Gateway.

However, as supported SSL algorithms do not protect against Man-in-the-Middle attacks, an attacker can spoof the IP address of the Security Gateway, in order to receive user credentials.

An attacker can therefore spoof the Security Gateway, in order to force the Check Point Session Authentication Agent to send user credentials.
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2014-1672

Check Point Security Gateway: Anti-Spoofing not enforced

Synthesis of the vulnerability

An attacker can in some cases traverse Check Point Security Gateway, with an IP address belonging to a forbidden network.
Severity: 2/4.
Creation date: 14/01/2014.
Identifiers: CVE-2014-1672, sk98087, VIGILANCE-VUL-14078.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Anti-Spoofing feature forbids an IP address belonging to one network to enter on another interface.

However, on Security Gateway version R75.47, the Anti-Spoofing is disrupted by the following operations:
 - change in the routing table
 - "Get - Interfaces with Topology" operation

An attacker can therefore in some cases traverse Check Point Security Gateway, with an IP address belonging to a forbidden network.
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness 13727

Check Point Threat Emulation: mail not scanned

Synthesis of the vulnerability

Some emails with an attachment are not scanned by the Check Point Threat Emulation blade.
Severity: 2/4.
Creation date: 07/11/2013.
Identifiers: sk96269, VIGILANCE-VUL-13727.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Some emails with an attachment are not scanned by the Check Point Threat Emulation blade.
Full Vigil@nce bulletin... (Free trial)

vulnerability 13270

Check Point: vulnerabilities of IPMI

Synthesis of the vulnerability

An attacker can use IPMI vulnerabilities in several Check Point products, in order to perform management operations on the hardware.
Severity: 2/4.
Creation date: 13/08/2013.
Identifiers: sk94228, VIGILANCE-VUL-13270.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The IPMI (Intelligent Platform Management Interface) protocol is used to manage the hardware.

Several vulnerabilities were announced in IPMI (VIGILANCE-VUL-13267, VIGILANCE-VUL-13268 and VIGILANCE-VUL-13269). Some of these vulnerabilities impact the hardware of Check Point products.

An attacker can therefore use IPMI vulnerabilities in several Check Point products, in order to perform management operations on the hardware.
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2013-3587

SSL, TLS: information disclosure via compression, BREACH

Synthesis of the vulnerability

An attacker can use several SSL/TLS compressed sessions, in order to obtain sensitive information from the server.
Severity: 1/4.
Creation date: 05/08/2013.
Identifiers: CVE-2013-3587, FEDORA-2015-8606, FEDORA-2015-9143, sk93971, SOL14634, VIGILANCE-VUL-13198, VU#987798.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The bulletin VIGILANCE-VUL-11952 describes a vulnerability of SSL/TLS which uses the SSL/TLS compression. To protect against this vulnerability, SSL/TLS compression was disabled in most web browsers.

However, TLS/SSL servers can also transport data which uses another compression. For example, a web server can compress data it sends to its clients. A variant of the previous attack can thus still be exploited.

An attacker can therefore use several SSL/TLS compressed sessions, in order to obtain sensitive information from the server.
Full Vigil@nce bulletin... (Free trial)

computer threat 13191

Check Point R75.40VS: information disclosure via SecureXL

Synthesis of the vulnerability

An attacker can capture SIP/MGCP packets when SecureXL is enabled on Check Point R75.40VS, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 02/08/2013.
Identifiers: sk92814, VIGILANCE-VUL-13191.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The SecureXL technology improves the performance of Check Point firewalls.

However, when it is enabled on R75.40VS, then SIP (Session Initiation Protocol) and MGCP (Media Gateway Control Protocol) packets are not encrypted.

An attacker can therefore capture SIP/MGCP packets when SecureXL is enabled on Check Point R75.40VS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

threat alert 12981

CheckPoint Security Gateway: information disclosure via VoIP

Synthesis of the vulnerability

When SecureXL is enabled on caller side, an attacker can capture VoIP communications of CheckPoint Security Gateway, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 17/06/2013.
Identifiers: sk92814, VIGILANCE-VUL-12981.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

CheckPoint Security Gateway allow establish VoIP calls thorough a VPN.

The VoIP signaling is exchanged via the SIP protocol. However, when SecureXL is enabled in the VPN end point at caller side, SIP messages are sent in plain text instead of begin encrypted as part of VPN traffic. This allows an attacker located in the public network to capture signaling traffic.

When SecureXL is enabled on caller side, an attacker can therefore capture VoIP communications of CheckPoint Security Gateway, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

weakness bulletin CVE-2011-3389 CVE-2012-1870

SSL, TLS: obtaining HTTPS Cookies, BEAST

Synthesis of the vulnerability

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can use several SSL sessions in order to compute HTTP headers, such as cookies.
Severity: 1/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 26/09/2011.
Identifiers: 2588513, 2643584, 2655992, AST-2016-001, BID-49778, BID-54304, c03122753, CERTA-2012-AVI-381, CERTFR-2016-AVI-046, CERTFR-2019-AVI-311, CVE-2004-2770-REJECT, CVE-2011-3389, CVE-2012-1870, DSA-2368-1, DSA-2398-1, DSA-2398-2, FEDORA-2012-5916, FEDORA-2012-5924, FEDORA-2012-9135, FEDORA-2014-13764, FEDORA-2014-13777, HPSBUX02730, javacpuoct2011, MDVSA-2012:058, MDVSA-2012:096, MDVSA-2012:096-1, MDVSA-2012:097, MS12-006, MS12-049, openSUSE-SU-2012:0030-1, openSUSE-SU-2012:0063-1, openSUSE-SU-2012:0199-1, openSUSE-SU-2012:0229-1, openSUSE-SU-2012:0667-1, RHSA-2012:0034-01, RHSA-2013:1455-01, RHSA-2013:1456-01, sk74100, sk86440, SOL13400, SSA-556833, SSRT100710, SUSE-SU-2012:0114-1, SUSE-SU-2012:0114-2, SUSE-SU-2012:0122-1, SUSE-SU-2012:0122-2, swg21568229, VIGILANCE-VUL-11014, VU#864643.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The SSL/TLS protocol supports CBC (Cipher Block Chaining) encryption: a clear block is "XORed" (operation Exclusive OR) with the last encrypted block, and the result is encrypted. This dependence between a block and its previous block was the subject of several theoretical studies since 2002, and led to the definition of TLS 1.1 in 2006, which uses a different algorithm.

The HTTPS "protocol", used by web browsers, encapsulates an HTTP session in a SSL/TLS session. An HTTP query is like:
  GET /abcdefg HTTP/1.0
  Headers (cookies)
  ...
This query is fragmented in blocks of 8 bytes, which are encrypted by CBC. The first block is thus "GET /abc".

An attacker can setup a malicious web site, and invite the victim to connect. This web site can request the victim's web browser to load the page "/abcdefg" of a site secured by SSL/TLS.

The attacker controls the size of the requested url (via "/abcdefg"), so he can place the first byte of headers at the end of a block (the 7 other bytes are known: "P/1.1\r\n"). This blocks follows a block which is fully known ("defg HTT"). The attacker can then capture the encrypted SSL/TLS session, and memorize the last encrypted block. This block is used as an initialization vector to compute an XOR between "defg HTT" (block 2) encrypted, and a guessed character located at the end of "P/1.1\r\n" (block 3). The result is reinjected by the attacker at the end of the HTTP query in clear text. He captures the resulting encrypted block, and if it is the same as the third encrypted block, then the guessed character was correct. The attacker repeats these queries as many times as necessary.

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can therefore use several SSL sessions in order to compute HTTP headers, such as cookies.
Full Vigil@nce bulletin... (Free trial)

weakness bulletin CVE-2011-1827

Check Point Endpoint Security On-Demand: code execution via Deployment Agent

Synthesis of the vulnerability

A malicious web site can use the Deployment Agent, in order to execute code on victim's computer.
Severity: 3/4.
Creation date: 04/05/2011.
Identifiers: BID-47695, CVE-2011-1827, SEC Consult SA-20110810-0, sk62410, VIGILANCE-VUL-10618.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The following applications can be downloaded from a Security Gateway, in order to provide a SSL VPN On-Demand :
 - SSL Network Extender (SNX)
 - SecureWorkSpace
 - Endpoint Security On-Demand
They are deployed via the Check Point Deployment Agent ActiveX or Java applet.

However, this ActiveX/applet does not correctly check the origin of the deployment. A web site can thus convince the victim to install a malicious application.

A malicious web site can therefore use the Deployment Agent, in order to execute code on victim's computer.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.