VPN-1/FireWall-1 Format Strings Vulnerability

["K. van der Raad" <k.van.der.raad () itsec nl>]

Hi,

We stumbled across the following vulnerability alert and did not see
this issue in Bugtraq yet:

http://www.checkpoint.com/techsupport/alerts/format_strings.html


--

July 11, 2001


Summary: 
A security issue exists in VPN-1/FireWall-1 version 4.1 whereby a valid
firewall administrator connecting from an authorized management client
may send malicious data to a management station inside a control
connection, possibly preventing proper operation of the management
station. This issue exists because some instances of improper string
formatting occur in VPN-1/FireWall-1 version 4.1. By sending specially
constructed commands through authorized communication channels,
arbitrary code may be inserted onto the operating system stack of a
VPN-1/FireWall-1 management station. This vulnerability may only be
exploited by an authorized and authenticated VPN-1/FireWall-1
administrator connecting from a workstation explicitly trusted by the
management station, although read/write permission is not required in
order to perform this attack. Since full access (read/write)
administrators and those at the local system console already have direct
access to the firewall system, this is an escalation of privilege only
for read-only administrators. 


Solution:
For all users, upgrade to VPN-1/FireWall-1 4.1 Service Pack 4 and
install the SP4 hotfix. This hotfix only needs to be applied to
management stations, not firewall modules.


Check Point/Nokia Appliances (IPSO) and AIX Note:
Since 4.1 SP3 is the most recent version of VPN-1/FireWall-1 released
for these platforms, the hotfix for these will be released for 4.1 SP3.
Future service packs will incorporate the fix. 


Who is affected: 
All installations of VPN-1/FireWall-1 which allow remote GUI connections
should be assumed vulnerable to this exploit. It should be noted again
that the attack must be made by an authorized and valid VPN-1/FireWall-1
administrator connecting from an authorized GUI client station.

Immediate workaround: 
Restrict remote GUI access for read/only firewall administrators; review
list of administrators and authorized GUI clients.

Changes made in the hotfix: 
Improper string formatting statements have been converted to secure ones
in this hotfix and all future releases. This has no other impact on
firewall operation.

Download information: 
For AIX, HPUX, Linux, Solaris, Windows NT & Windows 2000 select the
following options from the Software Subscription Download Site:

        Product: VPN-1/ FireWall-1 or Provider-1 
        Version: 4.1 
        Operating System: [Appropriate OS] 
        Encryption: [VPN+Des or VPN+Strong] 
        SP/Patch Level: [Appropriate Hotfix] 

For IPSO 3.3 select the following options from the Software Subscription
Download Site:

        Product: Nokia IP Series Appliance 
        Version: 4.1 
        Operating System: IPSO 3.3 
        Encryption: [VPN+Des or VPN+Strong] 
        SP/Patch Level: Format String Hotfix for SP3 (IPSO 3.3 Only) 


Acknowledgement:
This issue has been reported to Check Point by Halvar Flake, senior
reverse engineer of BlackHat Consulting.


-- 
        
        Kevin van der Raad <mailto:k.van.der.raad () itsec nl>
        
        ITsec Nederland B.V. <http://www.itsec.nl>
        Informatiebeveiliging
        Exploit & Vulnerability Alerting Service
        
        P.O. box 5120
        NL 2000 GC Haarlem
        Tel +31(0)23 542 05 78
        Fax +31(0)23 534 54 77
        
--

ITsec Nederland B.V. may not be held liable for the effects or damages
caused by the direct or indirect use of the information or functionality
provided by this posting, nor the content contained within. Use them at
your own risk. ITsec Nederland B.V. bears no responsibility for misuse
of this posting or any derivatives thereof.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature