Forwarding this advisory I received on the Checkpoint FW-1 in case you haven't seen it. Take care.
Brian
> Original Message Follows
>WE HAVE RECEIVED INFORMATION CONCERNING A SECURITY PROBLEM
>PRESENT IN CHECKPOINT'S FIREWALL-1 WHICH ALLOWS UNAUTHORIZED USERS TO
>ACCESS THE SNMP DAEMON RUNNING ON THE FIREWALL. THIS ALLOWS OUTSIDERS
> TO OBTAIN INTERNAL AND CONFIDENTIAL INFORMATION ABOUT THE INSTALLATION AND
>OPERATION OF THE FIREWALL AND THE NETWORK WHICH IT PROTECTS, WITHOUT
>BEING TRACED. THE FOLLOWING ADVISORY IS A RETRANSMISSION OF A SECURE
>NETWORKS INC. ADVISORY PUBLISHED ON 9 DEC 97.
>[*** START SNI ADVISORY, "CHECKPOINT FIREWALL-1 SECURITY ADVISORY" **
>*]
>
>PROBLEM DESCRIPTION: THE DEFAULT RECOMMENDED CONFIGURATION OF
>FIREWALL-1 ALLOWS OUTSIDE USERS TO OBTAIN CONFIDENTIAL OPERATION AND
>STATISTICAL INFORMATION FROM THE SIMPLE NETWORK MANAGEMENT PROTOCOL
>(SNMP) DAEMON.
>ONCE OBTAINED, THIS INFORMATION CAN BE USED BY POTENTIAL INTRUDERS TO
>FIND VULNERABILITIES IN THE FIREWALL OR CONNECTED SYSTEMS. IN ADDITION,
>POTENTIAL INTRUDERS CAN OBTAIN STATISTICS ON THE FIREWALL'S OPERATION.
>FINDING SOFTWARE ON THE FIREWALL WITH KNOWN VULNERABILITIES CAN, IN SOME
>CASES, BE EXPLOITED IMMEDIATELY TO CAUSE A DENIAL OF SERVICE (DOS) AT
>TACK.
>IT IS POSSIBLE FOR PEOPLE WISHING TO SEE THE VOLUME OF TRAFFIC GOING IN
>AND OUT OF A TARGET FIREWALL'S NETWORK TO OBTAIN THIS INFORMATION IN A
>FORM THAT CAN BE DIRECTLY IMPORTED INTO ANY NUMBER OF NETWORK MONITORING
>TOOLS THAT CAN GRAPH IT BY TIME OF DAY.
>
>TECHNICAL DETAILS: FIREWALL-1 MAKES USE OF THE SNMP SERVICE ON ALL
>PLATFORMS TO OBTAIN INFORMATION ABOUT THE MACHINE ON WHICH THE FIREWALL
>IS RUNNING, AND TO SHOW THE USER REAL-TIME STATISTICS ABOUT THE FIREWALL.
>FOR THOSE UNFAMILIAR WITH THE FIREWALL-1 USER INTERFACE, THE FIRST OPTION
>AVAILABLE IN THE GLOBAL PROPERTIES DIALOG BOX IS:
> "ENABLE FIREWALL-1 CONTROL CONNECTIONS [ESSENTIAL]" [1].
>THE WORD 'ESSENTIAL' IS CONTAINED IN THE USER INTERFACE WINDOW ITSELF,
>CAUSING UNFAMILIAR USERS TO BE VERY RELUCTANT TO REMOVE IT SINCE THEY
>FEEL THE VENDOR SHOULD KNOW BEST ABOUT THIS.
>THE DEFAULT CONFIGURATION IS TO HAVE THIS SELECTED AND MARKED "FIRST" SO
>THAT IT IS EVALUATED BEFORE THE RULE-SET DEFINED BY THE FIREWALL
>ADMINISTRATOR. SINCE FIREWALL-1 OPERATIONS ON A FIRST-MATCH RATHER THAN
>A BEST-MATCH PRINCIPLE, NOTHING IN THE RULE-SET OVERRIDES THIS.
>THE DOCUMENTATION MAKES IT VERY CLEAR THAT WHILE THIS BOX IS SELECTED,
>CONTROL CONNECTIONS REQUIRED FOR USE OF THE REMOTE GUI ARE ONLY ALLOWED
>IF THE IP ADDRESS IS LISTED IN A SPECIFIC TEXT FILE. ALL OTHER CONNECTION
>ATTEMPTS WILL BE REJECTED. NO MENTION IS MADE OF THE FACT THAT ACCESS IS
>ALLOWED TO THE SNMP PORTS FROM ANY ADDRESS. IF ACCESS WERE RESTRICTED TO
>ADDRESSES THAT APPEAR IN THE TEXT FILE, THIS PROBLEM WOULD BE PRESENT TO
>A LESSER DEGREE, ALLOWING AN ATTACKER TO SPOOF UDP PACKETS TO SET
>VARIABLES, WITHOUT NEEDING TO RECEIVE A REPLY.
>THE SNMP DAEMON REVEALS THE VERSION OF THE OPERATING SYSTEM AND FIREWALL,
>AS WELL AS THE CONFIGURATION OF THE SECURITY PERIMETER SUCH AS THE
>PRESENCE OR ABSENCE OF A SERVICE NETWORK (DMZ). THE OS VENDOR'S SNMP
>DAEMON WILL GENERALLY MAKE AVAILABLE INFORMATION SUCH AS A LIST OF ALL
>ACTIVE CONNECTIONS, A LIST OF ALL RUNNING SERVICES AND THE ENTIRE ROUTING
>TABLE (WHICH IF THE FIREWALL RUNS RIP CONTAINS A SIZABLE AMOUNT OF
>INFORMATION). INFORMATION SUCH AS THE AMOUNT OF TRAFFIC TRAVELING ON ANY
>GIVEN INTERFACE CAN BE USEFUL FOR COMPETITORS GAINING INFORMATION ON
>NETWORK TRAFFIC.
>IN ADDITION TO THE STANDARD MIB, VARIOUS VENDORS MAKE THEIR OWN
>INFORMATION AVAILABLE VIA ENTERPRISE MIBS. AS THE REFERANCE SECTION TO
>THIS ADVISORY NOTES, THIS MAY BE IMPORTANT FOR NT USERS OF THE CHECKPOINT
>FIREWALL [2].
>CHECKPOINT HAS THEIR OWN ENTERPRISE MIB (ENTERPRISES.1919). THIS PROVIDES
>OTHER INFORMATION USEFUL TO THE POTENTIAL INTRUDER SUCH AS THE NUMBER OF
>DENIED, DROPPED, ALLOWED AND LOGGED PACKETS AS WELL AS THE CURRENT STATE
>OF THE FIREWALL. PROVIDED AS WELL, IS THE TEXT OF THE LAST SNMP TRAP
>GENERATED.
>TO AN INTRUDER, THE INFORMATION OBTAINED CAN IN MANY CASES POINT THEM
>DIRECTLY TO A WAY IN WHICH THEY CAN GAIN REMOTE ACCESS TO THE PROTECTED
>NETWORK.
>ACCESS TO THE SNMP DAEMON IS ALLOWED IN RULE-SET 0 (PROPERTIES) NO
>LOGGING OF THESE ACCESSES IS MADE.
>
>VULNERABLE OPERATING SYSTEMS AND SOFTWARE: ALL PLATFORMS RUNNING
>VERSIONS OF FIREWALL-1 FROM CHECKPOINT WHERE THE ADMINISTRATOR HAS NOT
>DISABLED THE "ENABLE REMOTE CONNECTIONS" OPTION FROM THE PROPERTIES, OR
>HAS IN SOME OTHER WAY ENABLED ACCESS TO THE SNMP SERVER ON THE FIREWALL.
>
>FIX INFORMATION:
>
>A. VENDOR PATCH: ACCORDING TO CHECKPOINT SOFTWARE, A PATCH FOR THIS
>PROBLEM IS AVAILABLE VIA:
> HTTP://WWW.CHECKPOINT.COM/SUPPORT (ALL LOWERCASE)
>IT SHOULD BE NOTED THAT THIS URL IS PASSWORD PROTECTED AND IS ONLY
>ACCESSABLE VIA CHECKPOINT AUTHORIZED RESELLERS.
>B. QUICK FIX: IMMEDIATELY UNSELECT THE "ENABLE REMOTE CONNECTIONS"
>OPTION. ALSO, BLOCK ALL SNMP TRAFFIC AT YOUR BORDER ROUTER (UDP PORT 161).
>IF YOU ABSOLUTELY REQUIRE REMOTE ACCESS, A QUALIFIED SECURITY
>ADMINISTRATOR CAN ASSIST YOU IN DESIGNING A POLICY THAT GRANTS THIS
>ACCESS IN THE REGULAR RULE-BASE. PLEASE NOTE THAT THIS SUGGESTION IS
>NOT SUPPORTED BY CHECKPOINT AND IS PROVIDED WITHIN THIS ADVISORY ON AN
>'AS IS' BASIS. SNI (SECURE NETWORKS INC.) ACCEPTS NO LIABILTY FOR THIS
>SUGGESTED FIX, AND END USERS SHOULD APPLY IT ONLY AFTER CONSULTING THEIR
>IN-HOUSE SECURITY ADMINISTRATOR.
>
>ADDITIONAL INFORMATION: THE INFORMATION PROVIDED IN THIS ADVISORY
>WAS PROVIDED TO SNI BY STEVE BIRNBAUM <SBIRN @
SECURITY .
ORG .
IL>.
>
>REFERENCES (FROM FOOTNOTES IN TEXT ABOVE):
> [1] MANAGING FIREWALL-1 USING THE WINDOWS GUI, FIGURE 1-11.
> [2] BUGTRAQ MAILING LIST POST CONCERNING MIB ENTERPRISES.77
>A RECENT POST TO A SECURITY MAILING LIST BY CHRISTOPHER ROULAND
>(CROULAND @
EXAMNYC .
LEHMAN .
COM) POINTED OUT THAT THE MICROSOFT LAN-MANAGER
>ENTERPRISE MIB (ENTERPRISES.77) LISTED VAST AMOUNTS OF INFORMATION THAT
>SHOULD BE HEAVILY GUARDED.
>THIS INCLUDES A LIST OF RUNNING SERVICES AND THEIR STATE, A LIST OF ALL
>USERS THAT EXIST ON THE MACHINE, ANY CONNECTED SHARES AND THE NUMBEROF
>FAILED PASSWORD ATTEMPTS AMONG OTHER THINGS. FURTHER, HE FOUND A CERTAIN
>VARIABLE THAT COULD BE SET TO 0 IN MICROSOFT'S ENTERPRISE MIB WHICH
>RESULTED IN A CLEARING OF THE WINS DATABASE. GIVING SUCH INFORMATION AS
>THE PRESENCE OF ANY SHARES AND THE USER LIST ON A FIREWALL IS A POSSIBLY
>DISASTROUS BREACH OF SECURITY.
>[*** END SNI ADVISORY, "CHECKPOINT FIREWALL-1 SECURITY ADVISORY" ***]
>
Follow-Ups:
|
|
