HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2004-04
HTTP Parsing Vulnerability in CheckPoint Firewall-1

Original issue date: February 6, 2004

Severity: High

Systems Affected

.  Check Point Firewall-1 NG FCS
.  Check Point Firewall-1 NG FP1
.  Check Point Firewall-1 NG FP2
.  Check Point Firewall-1 NG FP3, HF2
.  Check Point Firewall-1 NG with Application Intelligence R54
.  Check Point Firewall-1 NG with Application Intelligence R55

Overview

A vulnerability has been discovered in several versions of Check Point Firewall-1 which allows remote attackers to execute arbitrary code with administrative privileges. Using this vulnerability, the attacker could  take control of the firewall, and in some cases, also control the server it runs on.

Impact

The vulnerability allows remote attackers to execute arbitrary code on affected firewalls with administrative privileges, typically "SYSTEM" or "root". Failed attempts to exploit this vulnerability may cause the firewall to crash.

Description

The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks and can prevent such attacks. Earlier versions of CheckPoint Firewall-1 include the HTTP Security Server, which also provides similar functionality.

Both HTTP Security Server and the HTTP portion of AI contain an HTTP parsing vulnerability that is triggered by sending an invalid HTTP request through the firewall. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf().

Internet Security Systems (ISS) has determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. The vulnerability can be exploited as a heap overflow, which would  allow an attacker to execute arbitrary code. In both cases, the commands or code executed by the attacker would run with administrative privileges, typically "SYSTEM" or "root".

Solution

Apply the patch from Check Point.

In order to protect FireWall-1 against this vulnerability, Check Point recommends that customers apply a simple change to a configuration file on the enforcement modules that will solve the problem. For more formation, please see the Check Point bulletin at :

http://www.checkpoint.com/techsupport/alerts /security_server.html

Check Point has reported that their products are only affected by this vulnerability if the HTTP Security Servers feature is enabled.

Therefore, affected sites may be able to limit their exposure to this vulnerability by disabling HTTP Security Servers or the Application Intelligence component, as appropriate.

Vendor Information

CheckPoint
FireWall-1 HTTP Security Server Vulnerability 
http://www.checkpoint.com/techsupport /alerts/security_server.html

References

US-CERT Technical Cyber Security Alert TA04-036A
HTTP Parsing Vulnerabilities in Check Point Firewall-1
http://www.us-cert.gov/cas/techalerts/TA04-036A.html

CERT/CC Vulnerability VU#790771
HTTP Parsing Vulnerabilities in Check Point Firewall-1
http://www.kb.cert.org/vuls/id/790771

Internet Security Systems
Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities
http://xforce.iss.net/xforce/alerts/id/162

 CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0039

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003