COMMAND

    VPN-1/FireWall-1

SYSTEMS AFFECTED

    VPN-1/FireWall-1 4.1

PROBLEM

    A security issue exists in VPN-1/FireWall-1 version 4.1 whereby  a
    valid  firewall  administrator   connecting  from  an   authorized
    management client may send malicious data to a management  station
    inside a control connection, possibly preventing proper  operation
    of  the  management  station.   This  issue  exists  because  some
    instances of improper string formatting occur in  VPN-1/FireWall-1
    version 4.1.   By sending  specially constructed  commands through
    authorized communication channels, arbitrary code may be  inserted
    onto the operating system  stack of a VPN-1/FireWall-1  management
    station.   This  vulnerability  may   only  be  exploited  by   an
    authorized   and   authenticated   VPN-1/FireWall-1  administrator
    connecting  from   a  workstation   explicitly  trusted   by   the
    management  station,   although  read/write   permission  is   not
    required  in  order  to  perform  this  attack.  Since full access
    (read/write) administrators and those at the local system  console
    already have  direct access  to the  firewall system,  this is  an
    escalation of privilege only for read-only administrators.

    All  installations  of  VPN-1/FireWall-1  which  allow  remote GUI
    connections  should  be  assumed  vulnerable  to this exploit.  It
    should  be  noted  again  that  the  attack  must  be  made  by an
    authorized  and  valid  VPN-1/FireWall-1  administrator connecting
    from an authorized GUI client station.

    This  issue  has  been  reported  to  Check Point by Halvar Flake,
    senior reverse engineer of BlackHat Consulting.

SOLUTION

    Restrict remote GUI access for read/only firewall  administrators;
    review list of administrators and authorized GUI clients.

    For all users, upgrade to VPN-1/FireWall-1 4.1 Service Pack 4  and
    install the SP4 hotfix.  This  hotfix only needs to be applied  to
    management stations, not firewall modules.

    Check Point/Nokia Appliances (IPSO) and  AIX Note:  Since 4.1  SP3
    is the most recent version of VPN-1/FireWall-1 released for  these
    platforms, the  hotfix for  these will  be released  for 4.1  SP3.
    Future service packs will incorporate the fix.