COMMAND
CheckPoint Firewall-1
SYSTEMS AFFECTED
Systems running CheckPoint Firewall-1
PROBLEM
This vulnerability in Firewall-1 has been made public by
CheckPoint. Most of this information is taken verbatim from the
CheckPoint web page on this issue. You can find this page at:
http://www.checkpoint.com/techsupport/config/keywords.html
If you use one of several reserved keywords to represent any user
defined object in a rule the default definition of "ANY" will be
used instead. This behavior may grant (or deny) access to a
greater number of addresses or services than expected.
The following keywords should not be used to represent any user
defined object in a FireWall-1 installation:
Short, Long, Account, Alert, SnmpTrap, Mail, UserDefined,
spoof, spoofalert, Auth, AuthAlert, Duplicate basewin,
serviceswin, netobjwin, viewwin, users, resources, time, true,
false, last, first, status_alert, fwalert
If any of these keywords are used to represent either a network or
a service object and are subsequently used in a security policy,
FireWall-1 will interpret the object definition as "undefined".
If no other object is used either in the source/destination or
service field of the rule, then the default address definition of
"ANY" is used for that particular field. Note that in practice
only objects in the "tracking" menu of type "alert" seem to behave
this way. Objects such as "Long", of type "log", do not show this
behavior.
Example might be if you have a rule that allows SMTP access to a
machine called "Mail" on your DMZ you are actually giving SMTP
access to any machines behind the firewall.
SOLUTION
If any of these keywords are defined as network objects or service
objects and used in a rule base, then the object should be renamed
and the security policy reloaded. Mechanisms are being built into
future releases of FireWall-1 to prevent using these keywords as
user defined objects.
A List of Characters and Reserved Words Forbidden to Use in
FireWall-1 Objects Definition. You should definitely avoid using
the following characters and reserved words within FireWall-1
objects definition (i.e., Network Objects, Users, Groups etc.):
Illegal characters:
String contains ' ' (space)
String contains '+'
String contains '*'
String contains '?'
String contains '('
String contains ')'
String contains '{'
String contains '}'
String contains '['
String contains ']'
String contains '!'
String contains '#'
String contains '<'
String contains '>'
String contains '='
String contains ',' (comma)
String contains ':' (colon)
String contains ';' (semicolon)
String contains ''' (quote)
String contains '`' (back quote)
String contains '"' (double quote)
String contains '/' (slash)
String contains '\' (back slash)
String contains '\t' (tab)
INSPECT reserved words:
"accept" "expcall" "hosts" "modify" "pass" "set" "and"
"expires" "if" "navy blue" "r_arg" "skippeer" "black"
"firebrick" "ifaddr" "netof" "r_cdir" "src" "blue"
"foreground" "ifid" "nets" "r_cflags" "static" "broadcasts"
"forest green" "in" "nexpires" "r_ckey" "sync" "call" "format"
"inbound" "not" "r_connarg" "targets" "date" "from"
"interface" "or" "r_ctype" "to" "day" "fwline" "interfaces"
"orange" "r_entry" "tod" "define" "fwrule" "ipsecmethods"
"origdport" "r_proxy_action" "ufp" "delete" "gateways"
"ipsecdata" "origdst" "r_tab_status" "vanish" "direction"
"get" "kbuf" "origsport" "r_xlate" "wasskipped" "do" "gold"
"keep" "origsrc" "record" "xlatedport" "domains" "gray 101"
"limit" "other" "red" "xlatedst" "drop" "green" "log"
"outbound" "refresh" "xlatesport" "dst" "hold" "magenta"
"packet" "reject" "xlatesrc" "dynamic" "host" "medium slate
blue" "packetid" "routers" "xor"
Scoped reserved words:
"gateways"
"host"
"netobj"
"resourceobj"
"routers"
"servobj"
"servers"
"tracks"
"targets"
"ufp"
Colors reserved words:
"black"
"blue"
"cyan"
"dark green"
"dark orchid"
"firebrick"
"foreground"
"forest green"
"gold"
"gray 101"
"green"
"magenta"
"medium slate blue"
"navy blue"
"orange"
"red"
"sienna"
"yellow"