COMMAND

    Checkpoint Firewall-1

SYSTEMS AFFECTED

    Systems running Checkpoint Firewall-1 (under conditions  described
    below)

PROBLEM

    Following  is  based  on   Secure  Networks  Checkpoint Firewall-1
    Security  Advisory.   The  default  recommended  configuration  of
    Firewall-1 allows outside  users to obtain  confidential operation
    and  statistical  information  from  the Simple Network Management
    Protocol (SNMP) daemon.

    Once obtained, this information can be used by potential intruders
    to find vulnerabilities in the firewall or connected systems.   In
    addition,  potential  intruders  can  obtain  statistics  on   the
    firewall's operation.  Finding software on the firewall with known
    vulnerabilities can,  in some  cases, be  exploited immediately to
    cause a Denial Of Service (DOS) attack.

    It is  possible for  people wishing  to see  the volume of traffic
    going in  and out  of a  target firewall's  network to obtain this
    information  in  a  form  that  can  be directly imported into any
    number of network  monitoring tools that  can graph it  by time of
    day.

    Firewall-1  makes  use  of  the  SNMP  service on all platforms to
    obtain  information  about  the  machine  on which the firewall is
    running,  and  to  show  the  user  real-time statistics about the
    firewall.   For   those  unfamiliar  with   the  Firewall-1   user
    interface, the  first option  available in  the global  properties
    dialog box is:

        "Enable Firewall-1 Control Connections [Essential]"

    The word  'Essential' is  contained in  the user  interface window
    itself, causing unfamiliar users to be very reluctant to remove it
    since they feel the vendor should know best about this.

    The  default  configuration  is  to  have this selected and marked
    "First" so that it is evaluated BEFORE the rule-set defined by the
    firewall  administrator.    Since  Firewall-1   operations  on   a
    first-match rather  than a  best-match principle,  nothing in  the
    rule-set overrides this.

    The  documentation  makes  it  very  clear  that while this box is
    selected, control connections required  for use of the  remote GUI
    are only allowed if  the IP address is  listed in a specific  text
    file.  All other connection attempts will be rejected.  No mention
    is made of the fact that access is allowed to the SNMP ports  from
    any address.  If access  were restricted to addresses that  appear
    in  the  text  file,  this  problem  would  be present to a lesser
    degree,  allowing  an  attacker  to  spoof  UDP  packets  to   set
    variables, without needing to receive a reply.

    The SNMP daemon  reveals the version  of the operating  system and
    Firewall, as well as  the configuration of the  security perimeter
    such as the presence or absence  of a service network (DMZ).   The
    OS vendor's SNMP daemon will generally make available  information
    such as a list  of all active connections,  a list of all  running
    services and the entire routing table (which if the firewall  runs
    RIP contains a sizable  amount of information).   Information such
    as the amount of traffic  traveling on any given interface  can be
    useful for competitors gaining information on network traffic.

    In addition to  the standard MIB,  various vendors make  their own
    information  available  via  enterprise  MIBs.  As  the  referance
    section to this advisory notes, this may be important for NT users
    of the Checkpoint firewall.

    Checkpoint has their own enterprise mib (enterprises.1919).   This
    provides other information useful  to the potential intruder  such
    as the number  of denied, dropped,  allowed and logged  packets as
    well as the current state of  the firewall.  Provided as well,  is
    the text of the last SNMP trap generated.

    To an intruder, the information  obtained can in many cases  point
    them directly to a way in which they can gain remote access to the
    protected  network.   Access  to  the  SNMP  daemon  is allowed in
    Rule-set 0 (properties) no logging of these accesses is made.

    Vulnerable OSs and software are all platforms running versions  of
    Firewall-1  from  Checkpoint  where  the  administrator  has   not
    disabled  the   "Enable  Remote   Connections"  option   from  the
    Properties, or has  in some other  way enabled access  to the SNMP
    server on the firewall.

SOLUTION

    According  to  Checkpoint  Software  a  patch  for this problem is
    available via:

        http://www.checkpoint.com/support

    It should be noted that this URL is password protected and is only
    accessable via Checkpoint authorized resellers.

    Quick  fix  is   to  immediately  unselect   the  "Enable   Remote
    Connections" option.  Also, block all SNMP traffic at your  border
    router (udp port 161).  If you absolutely require remote access, a
    qualified security  administrator can  assist you  in designing  a
    policy that grants this access  in the regular rule-base.   Please
    note that this  suggestion is not  supported by Checkpoint  and is
    provided within  SNI advisory  on an  'AS IS'  basis. SNI  (Secure
    Networks Inc.) accepts no liabilty for this suggested fix, and end
    users  should  apply  it  only  after  consulting  their  in-house
    security administrator.