German Information Security Agency (BSI) Firewall Study II Appendix F Known Vulnerabilities

(1)

Appendix F

Known Vulnerabilities

Contents

1 NAI Gauntlet Firewall ... 1

2 Axent Raptor Firewall ... 8

3 Check Point FireWall-1 ... 9

(2)

Appendix F: Known Vulnerabilities

1 NAI Gauntlet Firewall

Currently, 4 known vulnerabilities exist for the Gauntlet Firewall. If one takes into consideration the PKI-servers, 6 vulnerabilities are known.

V u l n e r a b i l i t y D e t a i l s

H e l p

ID Vulnerability Date

2064 Gauntlet 5.0 running on BSDI 10/19/99

eSecurityOnline.com Vulnerability Risk Formula = (Impact * .4) + (Popularity * .3) + (Simplicity * .3)

Vulnerability Risk Impact Popularity Simplicity

8.5 10 5 10

Affected Technology Local/Remote

Gauntlet 5.0 running on BSDI Remotely

Description

A misconfiguration in the OS and Firewall patching procedures for the Gauntlet firewall utility allows an attacker to circumvent firewall proxies. The misconfiguration occurs when firewall administrators install the latest OS patches released by BSDI after the Gauntlet install. If administrators do not follow a spe-cific install order as outlined in the Gauntlet documentation, it will open the firewall to this vulnerability.

Impact on Technology

Attackers can circumvent firewall security and attack systems behind the firewall.

Technical Recommendation

Install the gauntlet patch released by NAI: http://www.tis.com/support/patch50.html kernel.BSDI.patch

patchlevel 3

As a workaround solution, always follow the following procedure when installing OS patches: 1) Install BSDI 3.1 2) Install latest BSDI patches 3) Install Gauntlet 5.0 4) Install latest Gauntlet patches 5) Never install any OS patches again Whenever BSDI releases a new patch, the entire process needs to be repeated. This pretty much forces you to go to a hot-swappable architecture where you have a build box where you install the new patches, then swap the build box with your production box.

Cause

Misconfiguration

References Reference Number Link

(3)

(4)

V u l n e r a b i l i t y D e t a i l s

H e l p

2548 Gauntlet Firewall/CyberPatrol cyberdaemon buffer overflow vulnerability 5/21/00

7.3 10 8 3

Gauntlet for UNIX versions 4.1, 4.2, 5.0, 5.5 WebShield 300 series E-ppliance

WebShield for Solaris 4.0

WebShield 100 series E-ppliance

Remotely

Description

The Gauntlet firewall when used with CyberPatrol is vulnerable to a buffer overflow condition that allows a remote attacker to cause a denial of service condition or execute arbitrary code as root. The problem occurs due to incorrect bounds checking on processed HTTP URLs. An attacker can send a specially crafted string as part of a HTTP URL and cause a denial of service or gain root access.

Remote attackers can disable the HTTP proxy process or achieve root access.

The vendor patch is available at the following URL:

http://www.pgp.com/jump/gauntlet_advisory.asp

Cause

Insecure Design

(5)

V u l n e r a b i l i t y D e t a i l s

H e l p

1018 Gauntlet mail loop 7/30/97

5.6 5 2 10

Gauntlet firewalls Remotely

Description

Gauntlet firewalls may be susceptible to a DoS attack when mail to an unknown recipient is received. This can cause a mail loop which can disable the mail forwarding capability of the firewall by filling up the file system.

This can allow an attacker to launch a denial of service attack.

Upgrade to the latest version of Gauntlet.

Cause

Insecure Design

Mitre CVE GENERIC-MAP-NOMATCH

http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH

(6)

V u l n e r a b i l i t y D e t a i l s

H e l p

1909 Gauntlet ICMP denial of service vulnerability 8/1/99

5 5 2 8

Gauntlet 5.0 running on Solaris or BSDI Remotely

Description

A vulnerability in the Gauntlet firewall allows an attacker to crash or reboot the firewall machine. The attacker exploits this vulnerability by sending a specially crafted IP encapsulated ICMP packet through the Gauntlet firewall. The filtering rules must allow the packet to go through the firewall for the exploit to work.

Attackers can crash the firewall application, and in some cases lock up the entire machine resulting in a denial of service condition.

Contact the vendor for patch availability. http://www.nai.com/

The patch can be downloaded at ftp://ftp.tis.com/gauntlet/patches/5.0

As a workaround solution, upgrade to gauntlet 5.5, but beware that it is in Beta testing at the time of this writing.

Cause

Software Vulnerability

(7)

V u l n e r a b i l i t y D e t a i l s

H e l p

3122 Network Associates Net Tools PKI server XUDA template vulnerability (PKI-Server) 6/19/00

4 4 6 2

Network Associates Net Tools PKI server 1.0 Remotely

Description

Network Associates Net Tools PKI server is vulnerable to a flaw that allows a remote attacker to gain access to the host computer. The problem is due to the XUDA (Xcert Universal Database API) template files not containing absolute pathnames to other files.

A remote attacker can gain access to a host computer.

Network Associates Net Tools PKI Server 1.0:

ftp://ftp.tis.com/gauntlet/hide/pki/PKISERVER100-SP1-103-1.EXE

Cause

(8)

V u l n e r a b i l i t y D e t a i l s

H e l p

2652 NAI Net tools PKI buffer overflow vulnerability (PKI-Server) 6/19/00

6.9 6 5 10

Network Associates Net Tools PKI Server 1.0 Remotely

Description

An OEM version of software in the Net Tools PKI Server is vulnerable to a buffer overflow that can lead to a denial of service condition. Under the right conditions, HTTP requests with extremely long values can cause the server to crash.

Remote attackers can invoke a denial of service condition.

Apply the latest vendor patch for the product:

ftp://ftp.tis.com/gauntlet/hide/pki/PKISERVER100-SP1-103-1.EXE

Cause

(9)

2 Axent Raptor Firewall

The Raptor Firewall currently only has 1 known vulnerability.

V u l n e r a b i l i t y D e t a i l s

H e l p

2070 Axent Raptor IP Option DoS 10/21/99

5 5 5 5

Raptor 6.0.0 running on Solaris 2.6 and HP-UX Remotely

Description

A vulnerability in the Axent Raptor Firewall allows an attacker to lock the system, requiring a reboot. The attacker exploits an implementation problem in the Raptor IP option handler. In a typical attack scenario, the attacker will send a specially crafted packet with IP options and it will lock the firewall, requiring a hard reboot.

Attackers can lock the firewall, resulting in a denial of service condition.

Install the latest patches and hotfixes provided by the vendor:

ftp://ftp.raptor.com/pub/patches/V6.0/6.02Patch

http://www.raptor.com/cs/patches/eunv602hotfixes.html

Cause

(10)

3 Check Point FireWall-1

Check Point’s Firewall-1 currently has 13 known vulnerabilities.

V u l n e r a b i l i t y D e t a i l s

H e l p

2620 Check Point FireWall-1 fragmented IP packet denial of service vulnerability 6/6/00

8.3 8 8 9

Check Point FireWall-1 4.0 and 4.1 Remotely

Description

The FireWall-1 utility is vulnerable to denial of service attack that can allow remote attackers to com-promise system resources. The problem occurs due to the logging program using up CPU when a fragmented IP packet is received. An attacker can send numerous fragmented IP packets and cause the system to become unresponsive.

Remote attackers can cause a denial of service condition.

Service Pack 2 for FireWall-1 version 4.1 and Service Pack 6 Hot Fix for FireWall-1 version 4.0 will be available from the vendor in the near future.

As a workaround solution, disable console logging with the following commands: $FWDIR/bin/fw ctl debug -buf

Also, add the above line to $FWDIR/bin/fw/fwstart to turn of the functionality at boot. Vendor advisory:

http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html

Cause

(11)

V u l n e r a b i l i t y D e t a i l s

H e l p

1905 Check Point Connection table DoS 7/30/99

8 8 9 7

Check Point FW-1 version 4.0 SP3 running on Solaris;

possibly other versions running on other OSes. Remotely

Description

A vulnerability in the FW-1 firewall product allows an attacker to prevent the firewall from accepting new connections. The attacker exploits a bug in the firewall software that fills the firewall connection table. Once the connection table is filled, the firewall will no longer be able to accept new connections.

Attackers can deny service to legitimate users.

As a workaround solution, you can implement one or more of the following configuration changes: 1) Increase the size of the connections table

2) Decrease the default TCP timeout of one hour

3) Modify the rulebase to restrict as much traffic as possible

4) Monitor the connections table closely, and set an alarm if the size reaches a certain threshold For more detailed discussions, visit the following web sites:

http://www.checkpoint.com/techsupport/alerts/ackdos.html http://www.enteract.com/~lspitz/fwtable.html

Another option is to edit the code.def files as described below.

The following INSPECT code (between the two lines starting with "---") should be added to the $FWDIR/lib/code.def file (at the end of the file, just before the #endif statement). NOTE: if you are managing V3.0 modules, using the 4.0 backwards compatibility feature, please make the changes to the V3.0 code.def file (located in $FWDIR/lib30), as described in the "Check Point 3.0-based Installa-tions". After completing the edit, re-install the security policy. For 4.0-based installations, this code will

(12)

set sr10 12, set sr11 0, set sr12 0, set sr1 0, log bad_conn ) or 1, #endif vanish ); #endif End of 4.0 insert

---Check Point 3.0-based Installations:

The following INSPECT code (between the two lines starting with "---") should be added to the $FWDIR/lib/code.def file (at the end of the file, just before the #endif statement). After completing the edit, re-install the security policy. 3.0 edit follows

---#ifndef ALLOW_NONFIRST_RULEBASE_MATCH tcp, first or in old_connections or vanish;

#endif

End of 3.0 insert

---Cause

(13)

V u l n e r a b i l i t y D e t a i l s

H e l p

1015 Firewall-1 (Default Allow) 11/2/98

7.7 8 5 10

Systems protected by Firewall-1 Remotely

Description

Firewall-1 can allow an attacker to pass packets through the firewall or perform a denial of service at-tack. Implicit allow rules exist with a default installation of Firewall-1: RIP (UDP port 520), DNS (UDP and TCP port 53) and all ICMP except Redirects. These packets are not logged allowing RIP, DNS, or ICMP attacks to go un-noticed.

Attackers can attack internal networks through a FW-1 firewall or cause a denial of service.

Using the Firewall-1 menu options, in the Security Policy Window choose Properties from the Policy Menu. Uncheck the "Accept Domain Name Queries (UDP)" and "Accept Domain Name Download (TCP)" checkboxes.

(This will disable DNS traffic.)

Allow DNS traffic with an implicit rule from the protected side, to a specific DNS server on the external side.

Or lastly, process all implicit rule as "Last" and log the packets in a secure fashion.

Cause

Misconfiguration

(14)

V u l n e r a b i l i t y D e t a i l s

H e l p

2763 Check Point FireWall-1 denial of service and authentication bypass vulnerabilities 7/26/00

7.2 9 9 3

Description

Check Point FireWall-1 is vulnerable to several flaws that can allow an attacker to cause denial of service conditions and gain unauthorized access. The problems occur due to buffer overflow, circum-venting the authentication process, and improper handling for invalid packets.

Remote attackers can cause a denial of service or gain access through the firewall.

Upgrade to the service pack indicated by the vendor:

http://www.checkpoint.com/cgi-bin/download.cgi

VPN-1/FireWall-1 version 4.1: Install 4.1 SP2.

VPN-1/FireWall-1 version 4.0:

For the VPN-1 Appliance, use the SP5 Hotfix. Otherwise install 4.0 SP7.

Cause

Insecure Design

(15)

V u l n e r a b i l i t y D e t a i l s

H e l p

1013 Check Point FireWall-1 (keyword limitations) 5/14/98

6.8 8 2 10

Check Point FireWall-1 Remotely

Description

Several keywords may conflict with default objects, causing ACL rules for the firewall to default to "ANY" and allow unauthorized access. If the keywords are used, Firewall-1 will designate the object definition as "undefined" and not restrict access.

The keywords are as follows:

Short, Long, Account, Alert, SnmpTrap, Mail, UserDefined, spoof,spoofalert, Auth, AuthAlert, Duplicate basewin,

serviceswin, netobjwin, viewwin, users, resources, time, true, false, last, first, status_alert, fwalert.

Potential confusion in the setup of ACL rules may result in incorrect setup, which could allow an at-tacker to bypass firewall rules.

Download and install patches from:

(http://www.checkpoint.com/techsupport/config/keywords.html)

As a workaround solution, do not use the following keywords: Short, Long, Account, Alert, SnmpTrap, Mail, UserDefined, spoof, spoofalert, Auth, AuthAlert, Duplicate basewin, serviceswin, netobjwin, viewwin, users, resources, time, true, false, last, first, status_alert, fwalert

Illegal characters: String contains ' ' (space)

(16)

String contains '<' String contains '>' String contains '='

String contains ',' (comma) String contains ':' (colon) String contains ';' (semicolon) String contains ''' (quote) String contains '`' (back quote) String contains '"' (double quote) String contains '/' (slash)

String contains '\' (back slash) String contains '\t' (tab) NSPECT reserved words:

"accept" "expcall" "hosts" "modify" "pass" "set" "and" "expires" "if" "navy blue" "r_arg" "skippeer" "black" "firebrick" "ifaddr" "netof" "r_cdir" "src" "blue"

"foreground" "ifid" "nets" "r_cflags" "static" "broadcasts" "forest green" "in" "nexpires" "r_ckey" "sync" "call" "format" "inbound" "not" "r_connarg" "targets" "date" "from"

"interface" "or" "r_ctype" "to" "day" "fwline" "interfaces" "orange" "r_entry" "tod" "define" "fwrule" "ipsecmethods" "origdport" "r_proxy_action" "ufp" "delete" "gateways" "ipsecdata" "origdst" "r_tab_status" "vanish" "direction" "get" "kbuf" "origsport" "r_xlate" "wasskipped" "do" "gold" "keep" "origsrc" "record" "xlatedport" "domains" "gray 101" "limit" "other" "red" "xlatedst" "drop" "green" "log"

"outbound" "refresh" "xlatesport" "dst" "hold" "magenta" "packet" "reject" "xlatesrc" "dynamic" "host" "medium slate blue" "packetid" "routers" "xor"

Scoped reserved words: "gateways" "host" "netobj" "resourceobj" "routers" "servobj" "servers" "tracks" "targets" "ufp"

Colors reserved words: "black" "blue" "cyan" "dark green" "dark orchid" "firebrick" "foreground" "forest green" "gold" "gray 101" "green" "magenta"

"medium slate blue" "navy blue"

"orange" "red" "sienna" "yellow"

(17)

Cause

Insecure Design

(18)

V u l n e r a b i l i t y D e t a i l s

H e l p

3256 Check Point VPN-1/FireWall-1 Fast Mode vulnerability 12/18/00

6.1 7 8 3

Check Point VPN-1/FireWall-1 4.1 SP2 and below Check Point VPN-1/FireWall-1 4.0 SP7 and below Check Point/Nokia Appliances (IPSO)

Remotely

Description

Check Point VPN-1/FireWall-1 contains a vulnerability that can allow a remote attacker to connect to blocked TCP services. If Fast Mode is used with any TCP service, all TCP services will be made ac-cessible. Using fragmented TCP packets, an attacker could possibly be able to pass packets to or through a firewall.

Remote attackers can establish connections to blocked TCP services.

If you are running Check Point VPN-1/FireWall-1 4.1, upgrade to SP3:

http://www.checkpoint.com/cgi-bin/download.cgi

If you are running Check Point VPN-1/FireWall-1 4.0, upgrade to SP8:

SP8 will be available the week of 12/24/00. Until then, ensure Fast Mode is disabled. Check Point/Nokia Appliances (IPSO):

Patches for these products will be available in January 2001. Until then, disable Fast Mode. Vendor Alert:

http://www.checkpoint.com/techsupport/alerts/fastmode.html

Cause

(19)

(20)

V u l n e r a b i l i t y D e t a i l s

H e l p

2067 Check Point FW-1 ignores LDAP user authentication 10/20/99

5.9 5 3 10

Check Point FW-1 4.0 SP4 Locally

Description

A vulnerability in the Check Point FW-1 LDAP utility allows an attacker to circumvent LDAP access controls. The attacker exploits a problem with the Check Point implementation of the FW1ALLOWED-DST LDAP attribute. The problem allows an LDAP authenticated attacker to access any LDAP pro-tected object regardless of access controls implemented by the FW1ALLOWED-DST LDAP attribute.

Attackers with LDAP authentication access can gain unauthorized user level access to LDAP protected objects.

As a workaround solution, do not rely on LDAP restriction rules for authenticated LDAP users.

Cause

(21)

V u l n e r a b i l i t y D e t a i l s

H e l p

1014 Firewall-1 9/28/98

5.6 5 2 10

Firewall-1 3.0b Session Agent Locally

Description

Traffic between Firewall-1 and the session agents is unencrypted, allowing an attacker to obtain sensi-tive information from the network.

This allows usernames and passwords used for session agent authentication to be pulled from the wire. This and other information can be used by an attacker to gain escalated privileges.

Apply the latest patches to Firewall-1.

Cause

Insecure Design

(22)

V u l n e r a b i l i t y D e t a i l s

H e l p

2461 Firewall-1 leaks private network information 3/14/00

4.8 3 5 7

Firewall-1 versions 3.0b 4.0 4.1

Nokia IP440 Remotely

Description

Firewall-1 can allow a remote attacker to gain internal network information. The firewall may allow inter-nal network packets onto the exterinter-nal network under heavy load. An attacker could monitor network traffic and learn the IP addresses of internal hosts.

Remote attackers can gain sensitive internal network information.

Upgrade to the latest service pack provided by the vendor.

Firewall-1 4.0 service pack 5: http://www.checkpoint.com/cgi-bin/download.cgi

Nokia http://www.iprg.nokia.com/support/index.html

As a workaround solution, block packets from the internal network at the border router.

Cause

(23)

V u l n e r a b i l i t y D e t a i l s

H e l p

1012 Firewall-1 (SNMP info) 12/11/97

4.4 2 2 10

Firewall-1 Remotely

Description

The default and recommended rule set for Firewall-1 allows for incomimg SNMP packets to be ac-cepted from any host. This would provide an attacker with information about the network.

The default SNMP configuration can allow an attacker to gain information about the firewall which can be used to find weaknesses.

1) Upgrade to the latest patches (which fix the problem). The patch is made available only to Check-point authorized resellers.

http://www.checkpoint.com/support

2) Unselect the "Enable Remote Connections" option. 3) Block all SNMP traffic at your border router (udp port 161).

Cause

Insecure Design

(24)

V u l n e r a b i l i t y D e t a i l s

H e l p

2318 Check Point FW-1 Strip Script Tag vulnerability 1/29/00

4.3 4 3 6

Check Point FW-1 version 3.0 Both

Description

The Check Point firewall utility may permit an attacker to bypass its "Strip Script Tags" feature. The attacker exploits a problem where Check Point fails to properly disable potentially harmful scripts that could get executed by web browsers. In a typical scenario, the attacker will create a web page with spe-cially crafted HTML tags that circumvent the "Strip Script Tags" filter and get executed when a web client browses the maliciously crafted web page.

Attackers can execute arbitrary code on vulnerable web browsers and gain unauthorized user level access.

Upgrade to the latest version of FW-1 and install the latest service packs. Version 4.0 with SP5 is not vulnerable to this attack.

Cause

(25)

V u l n e r a b i l i t y D e t a i l s

H e l p

2364 Check Point FW-1 FTP PASV vulnerability 2/9/00

3.9 3 5 4

Description

The Check Point FireWall-1 utility can allow a remote attacker to circumvent packet filtering. The soft-ware incorrectly parses FTP PASV connections. An attacker can trick the firewall into opening ports on the firewall, and thus connect to potentially vulnerable services running on the FTP server.

Attackers can circumvent packet filtering and potentially attack vulnerable services on an FTP server behind the firewall.

For 4.0 systems install the patch and make configuration changes recommended by the vendor. The vendor has not released a patch for other versions:

http://www.checkpoint.com/techsupport/alerts/pasvftp.html

Cause

(26)

V u l n e r a b i l i t y D e t a i l s

H e l p

1011 Firewall-1 (ICMP Handling) 9/16/97

2.9 2 2 5

Firewall-1 3.0a? Remotely

Description

The stateful inspection engine in Firewall-1 does not appear to maintain state for ICMP packets. Con-sequently, it may be possible to pass ICMP echo-reply packets through the firewall and perform an attack.

This vulnerability could allow ICMP echo-reply packets to breach the firewall and attack an internal host.

Upgrade to the latest version of Firewall-1. www.checkpoint.com

Cause

Misconfiguration

(27)

all S tu d y II F: Kn o w n Vu ln erab ilities 26

Port

s

SunScreen Ne tW a ll FireW all-1 Ra pto r Ga untl et So la ri s NT So la ri s NT So la ri s NT NT So la ri s an y an y den y all an y an y den y all an y an y den y all an y an y den y all an y an y den y all an y an y den y all an y an y den y all an y an y den y all ec h o e ch o e ch o iscar d discar d discar d tim e day tim e day tim e g en char g en char g en ftp f tp f tp ftpf tp ftp ln et t eln et t eln et te ln et te ln et te ln et sm tp sm tp sm tp s tim e t im e tim e bbn-lo g in bbn-lo g in d g o phe r g o phe r fin g er f in g er f in g er h ttp d h ttp d sunr pc s unr pc s unr pc sunr pc sunr pc id en t id en t nntp nntp r p c r p c r p c ne tbio s-ssn ne tbio s-ssn ne tbio s-ssn ne tbio s-ssn ne tbio s-ssn unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unko w n

(28)

irew all S tu d y II en d ix F: Kn o w n Vu ln erab ilities 27 unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n 1 6 si lv er -pl atte r si l-v er p la tte r 1 7 o n m u x o n m u x 1 8 h y p er -g h y p er -g 4 3 h ttp s h ttp s 4 5 m ic ros oft -ds m ic ros oft -d s 8 1 p h p h 1 2 exec exec exec exec exec 1 3 logi n logi n logi n logi n logi n 1 4 sh el l sh el l sh el l sh el l sh el l pr inte r pr inte r pr inte r uucp uucp uucp unkno w n unkno w n -9 0 0 x -s er v ice x -s er v ice x -s er v ice unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n unkno w n

(29)

all S tu d y II F: Kn o w n Vu ln erab ilities 28 unkno w n