New vulnerability announced by Checkpoint, however notes that it is "in theory only" at this time.
Excerpt from Checkpoint's site:
FireWall-1 HTTP Security Server Vulnerability
05 February 2004
A vulnerability in the FireWall-1 HTTP Security Servers exists that may cause it to crash in certain circumstances, which in theory only, may allow further exploitation. This issue only exists when using HTTP Security Servers.
In order to protect FireWall-1 against this vulnerability, Check Point recommends that customers install an update on all enforcement modules.
VPN-1/FireWall-1 NG and above, when using HTTP Security Servers.
If the HTTP Security Servers are not in use on the module, there is no need to install the update.
The update is applicable on the following releases:
NG FP3 HF2
NG with Application Intelligence R54
NG with Application Intelligence R55
Other NG based releases (NG FCS, NG FP1, NG FP2 ...)
...Entire bulletin located herehttp://www.checkpoint.com/techsuppor...ty_server.htmlCheckpoint has issued a hot fix for this which we are evaluating for immediate deployment. What's odd is Checkpoint doesn't mention that it's in the AI module and seems to kind of downplay this vulnerability - hopefully that doesn't mean they aren't taking it serious - I would assume they are but dont want to show too much at this early stage.Excerpt from ISS, who found it, issued this:
ISS X-Force has discovered a flaw in the HTTP Application Intelligence
component of Firewall-1. Application Intelligence is a relatively recent
addition to the Firewall-1 product line and functions as an application
proxy between untrusted networks and network servers for the purpose of
detecting and preventing potential attacks. The vulnerabilities also exist
within the HTTP Security Server application proxy that ships with all
versions of Firewall-1 (including those prior to Application Intelligence
releases). The affected components contain several remotely exploitable
format string vulnerabilities.
If HTTP Application Intelligence is enabled or the HTTP Security Server is
used, a remote unauthenticated attacker may exploit one of these
vulnerabilities and execute commands under the security context of the
super-user, usually "SYSTEM", or "root". This attack may lead to direct
compromise of the Firewall-1 server.
Remote attackers may leverage this attack to successfully compromise heavily
hardened networks by modifying or tampering with the firewall rules and
...Entire bulletin located here http://xforce.iss.net/xforce/alerts/id/162
Anyone know more about this one?