 | ||
 Advisory on possible DoS - R55 and up | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2008-03-18 | |||
| |||
 Advisory on possible DoS - R55 and up TITLE: CheckPoint VPN-1 IP Address Collision Security Issue SECUNIA ADVISORY ID: SA29394 VERIFY ADVISORY: CheckPoint VPN-1 IP Address Collision Security Issue - Advisories - Secunia CRITICAL: Less critical IMPACT: Exposure of sensitive information, DoS WHERE: From local network SOFTWARE: Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI) Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI) - Vulnerability Report - Secunia Check Point VPN-1 UTM NGX Check Point VPN-1 UTM NGX - Vulnerability Report - Secunia Check Point VPN-1 Power NGX Check Point VPN-1 Power NGX - Vulnerability Report - Secunia DESCRIPTION: Robert Mitchell has reported a security issue in CheckPoint VPN-1, which can lead to a DoS (Denial of Service) or disclosure of sensitive information. The security issue is caused due to an error in the handling IP address collisions and can lead to a DoS or disclosure of sensitive information. The problem occurs when a remote access client has an IP address, which is also defined in the encryption domain of a gateway that has a site-to-site VPN tunnel to the gateway the client connects to. SOLUTION: The vendor has issued hotfixes to resolve the issue (see vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Robert Mitchell ORIGINAL ADVISORY: CheckPoint: https://secureknowledge.checkpoint.c...ion&id=sk34579 Check Point Software Technologies: Download Center Robert Mitchell: Pure Security  |
| 2008-03-18 | |||
| |||
| Re: Advisory on possible DoS - R55 and up I'm going to "out" myself on this - this is a vulnerability I discovered. Check Point and Secunia's advisory, IMHO, understate the risk of this. If you are running Check Point with the following conditions : 1. NGX (Any version); 2. SecuRemote users not using Office Mode; and 3. Both Client-Site and Site-Site VPNs terminating on the same gateway; then you really need to look at this advisory and understand its implications. At the very least, unless you are running Office Mode and can force all your Remote Access users to use it, do *not* turn on SecuRemote back-connections. That mitigates the worst parts of the threat. Also, be aware that the hotfix provides logs on the SmartView Tracker, but does not provide any feedback to the SecuRemote User on why their VPN connection fails. The user will authenticate successfully and send traffic, but it will be dropped at the Gateway. When the support call comes in from the user, you'll see "VPN Error Code 1" in the information field. The only way to fix the user's problem at this stage is to change their machine's IP address and/or use Office Mode. |
| 2008-03-19 | |||
| |||
| Re: Advisory on possible DoS - R55 and up Quote:
Good work on the discovery. __________________ Its all in the documentation. |
| 2008-03-31 | |||
| |||
| Re: Advisory on possible DoS - R55 and up I have a stupid question about this advisory. I'm running R62 on my Nokias. When I look up sk34579, in the section listing hotfixes for each version of CheckPoint, the hotfix for R62 has "GA" on the end; ie "For VPN-1 Power/UTM NGX R62 GA." Why is "GA" on here? I know it means "Generally Available" but is this a special version of R62 that was released at some point? The other versions don't have this "GA" designation in this sk item. Does this hotfix work for all R62 versions? If not, does this mean there's no hotfix for my version of R62? Please advise. Thanks, Chris. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
