Check Point FireWall-1 has multiple critical vulnerabilities

News.com reports that Check Point has provided a patch for its Next Generation (NG) series, but only about 70 percent of current users have installed the version that will be patched. VPN-1 is no longer supported and won't be patched.

One vulnerability is due to a flaw in the HTTP Security Server proxy that is included with all current versions of FireWall-1. Attackers could use this exploit to tamper with the firewall configuration, leading to complete compromise of the network.

A flaw in the ISAKMP processing for VPN-1 Server, SecuRemote and SecureClient can allow a remote attacker to penetrate any VPN-1 server or client running SecuRemote and SecureClient. The threats are caused by format string errors found only in the Application Intelligence component and the HTTP Security Server application proxy and occurs only during the parsing of HTTP traffic. Even an unsuccessful attack can apparently crash current sessions.

Applicability
Check Point's statement indicates that VPN-1/FireWall-1 NG (and above) are affected only when using HTTP Security Servers. If the HTTP Security Servers are not in use on the module, there is no need to install the fix.

Xforce offers considerably more detail about the threat, including this listing of vulnerable software:

• Check Point FireWall-1 NG-AI R55, R54, including SSL hotfix
• Check Point FireWall-1 HTTP Security Server included with NG FP1, FP2, FP3
• Check Point FireWall-1 HTTP Security Server included with 4.1

Risk level—High to critical
These vulnerabilities can allow a remote attacker to completely compromise the vital firewall protection and also run arbitrary code on the system.

Mitigating factors
Check Point reports that this threat only affects firewalls using the HTTP Security Servers—other installations do not require the fix.

Fix—Patch
Patches are available for:

• Check Point FireWall-1 NG FP3 HF2
• Check Point FireWall-1 NG with Application Intelligence R54
• Check Point FireWall-1 NG with Application Intelligence R55

The Check Point notice states that earlier versions, including NG FCS, NG FP1, and NG FP2, are treated differently, but the link to that information requires a user password, so I can't report any details on how they differ.

Check Point no longer supports the versions of VPN-1 and SecuRemote/SecureClient affected by this vulnerability, according to ISS. Check Point recommends that affected users upgrade to FireWall-1 NG FP1 or greater.

Final word
There is little that can be considered more dangerous than a vulnerability that can allow a remote attacker to compromise the first, main, and sometimes the only line of defense for a network, and of course, that's what a firewall represents.

Also watch for …
A Cisco advisory alerts users that some 6000/6500/7600 systems are subject to a denial of service (DoS) attack, which can be triggered from within the network or possibly by an outside attacker. An initial attack is most likely to freeze the system, but Cisco says that this can be handled by a simple reset. Repeated attacks will probably result in a full DoS event. No workaround exists, but a patch is available from the vendor.

One threat affects the Cisco 6000/6500/7600 series with an MSFC2 and a FlexWAN or OSM module. The company says that systems not using FlexWAN or OSM are unaffected. Cisco also reports that CSCeb56052 "affects Cisco 6000/6500/7600 series with an MSFC2 module." Patches are available for Cisco IOS 12.1E, 12.2SY, and 12.2ZA.

The RealOne Player has a vulnerability that can allow an attacker to run arbitrary code on a user's system. NGSS Software and RealNetworks both have advisories on the three vulnerabilities that, cumulatively, appear to affect all platforms and language versions. This is not a Windows-only threat.

The SourceForge Tiny Server has multiple vulnerabilities affecting Version 1.1. The Tiny Server is a basic HTTP server used by some to manage a limited user base or limited needs. However, it can handle 100 connections, which are plenty for some remote offices, and it operates well over 56K modem connections.

Red Hat Security Announcement 2004:056 reports that the login program of util-linux prior to and including Enterprise Linux 2.1AS poses an information leakage threat unless patched. This leakage can include password data. This vulnerability has been designated CAN-2004-0080. The company says Red Hat Enterprise Linux 3 and Red Hat Linux 9 are not vulnerable to this threat.

Hewlett-Packard reports there are potential denial of service vulnerabilities in OpenVMS BIND Version 8 that may be exploited by local or remote users. The vulnerability affects HP TCP/IP V5.1 for HP OpenVMS Alpha and VAX, as well as HP TCP/IP V5.3 for HP OpenVMS VAX. BIND versions prior to 8.3.7 and 8.4 to 8.4.2j are affected.

TechRepublic originally published this article on 16 February 2004.