The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Check Point Security Gateway: denial of service via SYN Flood

Synthesis of the vulnerability 

When the Check Point Security Gateway firewall receives more than 120 000 TCP SYN packets per second, it consumes numerous CPU resources.
Vulnerable products: CheckPoint Security Gateway, VPN-1.
Severity of this weakness: 1/4.
Creation date: 24/10/2012.
Références of this bulletin: sk86721, VIGILANCE-VUL-12090.

Description of the vulnerability 

The SYN flag of the TCP protocol is used to initialize sessions.

When the Check Point Security Gateway firewall receives more than 120 000 TCP SYN packets per second, it consumes numerous CPU resources.

This denial of service is not caused by a vulnerability, but Check Point offers methods/patches to optimize performances.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability announce impacts software or systems such as CheckPoint Security Gateway, VPN-1.

Our Vigil@nce team determined that the severity of this cybersecurity bulletin is low.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this threat alert.

Solutions for this threat 

Check Point Security Gateway: versions and workaround for SYN Flood.
Versions R75.46 and R76 are fixed.
A workaround is to:
 - modify kernel parameters:
     http://supportcontent.checkpoint.com/solutions?id=sk74480
 - increase the reception buffer size:
     http://supportcontent.checkpoint.com/solutions?id=sk42181
 - use the Multi-Queue feature:
     http://supportcontent.checkpoint.com/solutions?id=sk80940
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities database. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.