COMMAND
LDAP
SYSTEMS AFFECTED
Checkpoint FireWall-1 V4.0
PROBLEM
Olaf Selke found following. With FireWall-1 Version 4.0
Checkpoint introduced support for the Lightweight Directory Access
Protocol (LDAP) for user authentication. It looks like there's a
bug in Checkpoint's ldap code which under certain circumstances
can lead to unauthorized access to protected systems behind the
firewall.
A user can authenticate himself at the firewall providing a valid
username and password. The firewall acts as a ldap client,
validating the credentials by a directory server using the ldap
protocol. After successful authentication access will be granted
to systems protected by the firewall.
In contrast to authentication using the Radius or SecurID
protocol, after successful authentication the directory server can
supply the firewall with additional ldap attributes for the user
like the time and day of a week a user is allowed to login, the
source addresses a user can run a client from, or the system
behind the firewall a user is allowed to access. This can be done
individual for each user.
In general that's a great idea, but it seems Checkpoint made
something wrong interpreting the ldap attribute 'fw1allowed-dst'
which is supposed to control in detail which protected network
object a user can access. It seems this attribute is ignored by
the firewall software, granting access to all protected network
objects instead. Example:
------ Server 'Foo'
|
Internet --- FW-1 ---|
|
------ Server 'Bar'
Supposed there's a user 'Sid' with access only to Server 'Foo',
and a second user 'Nancy' with access restricted to Server 'Bar',
both controlled by the ldap protocol, using the ldap attribute
'fw1allowed-dst'. The bug will cause that both, Sid and Nancy,
will have access to Foo and to Bar.
SOLUTION
This is not major bug, but it's serious enough that one can't
rely on access control enforced through ldap.