Bugtraq mailing list archives

FireWall-1 weakness

From: Hugo.van.der.Kooij () CAIW NL (Hugo.van.der.Kooij () CAIW NL)
Date: Thu, 30 Sep 1999 07:58:22 +0200


Hi,

At present CheckPoint has not seen any reason to see the following issue
as a weakness in their product. So I now report this here:

If one takes CheckPoint FireWall-1 v4.0 SP4 (latest version) and build the
following rule:

Source:         Destination:    Protocol:       Action:
Any             citrix-server   winframe        accept

Where citrix-server is a simple network object and winframe the definition
as created by CheckPoint.

This rules allows winframe sessions to pass but should stop other traffic
as it does some more packet analyses.

A customer tried to run FTP through it and saw an accept in the log. But
due to the lack of a server on the other side could not establish wether
or not there was a leak.

Recreating this in the lab with telnet showed the same. However putting a
working telnetd on port 1494 at the specific server did still not allow
anyone to enter the system. After initial TCP connection setup it seems
the firewall drops connections.

But this will lead to two weaknesses:
 1. Any server defended by FireWall-1 could be subject to a DoS attack if
    the server should accept TCP sessions at port 1494. The server allows
    the initial setup and then stops forwarding.

    (That's two dependencies but we are the people that allways assume the
    worst as we are the ones that try to do the worst in such case ;-)

 2. The log only shows a succesfull start of the session but down not
    indicate any filtering. This leaves the operator of the firewall in
    the dark wether or not a session was cut off due to the missing
    winframe signature. So there is no indication off foul play and
    everyone will be assuming things are just fine.

    (We all know that if a firewall is supposed to show dropped packets
    that plenty of people will never look for trouble in the sessions that
    are allowed.)

I hope that this document will help people understand a oversight in the
logging/alerting facilities that they have to deal with in FireWall-1.

I did not test for other types of services that have additional checks in
them. They may suffer the same lack of logging/alerting in case incorrect
sessions are blocked.

Regards,
Hugo.

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Use of any of my email addresses for unsollicited (commercial)
    email is a clear intrusion of my privacy and illegal!

Current thread:

Kvt bug Sebastian Wain (Sep 29)
- FireWall-1 weakness Hugo.van.der.Kooij () CAIW NL (Sep 29)
- ActiveX Buffer Overruns Shane Hird (Sep 30)
- Re: Kvt bug Pioppo (Sep 30)
- Re: Kvt bug Chris Seawood (Sep 30)