COMMAND

    FW-1

SYSTEMS AFFECTED

    Firewall-1

PROBLEM

    Hugo Vasquez found  following.  If  you flood port  264 (FW1_topo)
    from  your  local  network,  the  Firewall-1  CPU reaches 100% and
    nobody can connect with GUI (neither on the firewall itself).

    The test has been done on a local 10 MB Ethernet against a PII 266
    256 MB, FW1  4.1 SP1 in  a NT 4.0  SP4 with the  ippacket software
    and spoofing the source IP, and that's the packet sent:

        destination IP   : Firewall (external interface)
        source IP        : non existent IP (on local net)
        source port      : 1000
        destination port : 264
        data             : qwertyuiop1010101010
        number of packets: -1 (continuos mode)

    Due to  the importance  of this  port (264)  in Securemote, etc...
    Hugo thinks it would be  interesting to investigate how much  this
    attack could danger the system ( memory ) and comunications (smtp,
    VPN , Securemote...).

SOLUTION

    This is effectively a  misconfiguration issue, although it  is the
    default configuration  upon initial  install.   This is  not a bug
    because the first thing the "wizard" does for you is to block  all
    traffic directly to the firewall, this should not be an issue  for
    most people.   This is a  really good thing,  because FW-1 listens
    on an obscene number of ports in a default installation.

    Check Point after extensive  testing was unable to  reproduce this
    vulnerability.   This testing  was done  both with  and without IP
    Spoofing protection  enabled, with  the provided  source code  and
    other tools.  At this time,  Check Point does not believe this  is
    an actual vulnerability.