Results 1 to 3 of 3

Thread: Checkpoint Firewall-1 critical vulnerabilities announced: AI & HTTP server

  1. #1

    Checkpoint Firewall-1 critical vulnerabilities announced: AI & HTTP server

    New vulnerability announced by Checkpoint, however notes that it is "in theory only" at this time.

    Excerpt from Checkpoint's site:
    FireWall-1 HTTP Security Server Vulnerability
    05 February 2004

    A vulnerability in the FireWall-1 HTTP Security Servers exists that may cause it to crash in certain circumstances, which in theory only, may allow further exploitation. This issue only exists when using HTTP Security Servers.

    In order to protect FireWall-1 against this vulnerability, Check Point recommends that customers install an update on all enforcement modules.

    Affected Releases:
    VPN-1/FireWall-1 NG and above, when using HTTP Security Servers.

    If the HTTP Security Servers are not in use on the module, there is no need to install the update.

    The update is applicable on the following releases:

    NG FP3 HF2
    NG with Application Intelligence R54
    NG with Application Intelligence R55
    Other NG based releases (NG FCS, NG FP1, NG FP2 ...)

    ...Entire bulletin located here
    Excerpt from ISS, who found it, issued this:
    ISS X-Force has discovered a flaw in the HTTP Application Intelligence
    component of Firewall-1. Application Intelligence is a relatively recent
    addition to the Firewall-1 product line and functions as an application
    proxy between untrusted networks and network servers for the purpose of
    detecting and preventing potential attacks. The vulnerabilities also exist
    within the HTTP Security Server application proxy that ships with all
    versions of Firewall-1 (including those prior to Application Intelligence
    releases). The affected components contain several remotely exploitable
    format string vulnerabilities.

    If HTTP Application Intelligence is enabled or the HTTP Security Server is
    used, a remote unauthenticated attacker may exploit one of these
    vulnerabilities and execute commands under the security context of the
    super-user, usually "SYSTEM", or "root". This attack may lead to direct
    compromise of the Firewall-1 server.

    Remote attackers may leverage this attack to successfully compromise heavily
    hardened networks by modifying or tampering with the firewall rules and

    ...Entire bulletin located here
    Checkpoint has issued a hot fix for this which we are evaluating for immediate deployment. What's odd is Checkpoint doesn't mention that it's in the AI module and seems to kind of downplay this vulnerability - hopefully that doesn't mean they aren't taking it serious - I would assume they are but dont want to show too much at this early stage.

    Anyone know more about this one?

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    We have been looking at this, and here is what seems to be the catch:
    If the HTTP Security Servers are not in use on the module, there is no need to install the update.
    Now from reading here:

    It looks, at least to me, that the HTTP Security servers are used to essentially force authentication of users to use HTTP. The way I am currently reading it, is that unless you are doing this, and thereby forcing it through the HTTP security Servers module, then you are at no risk to this vulnerability...

    However, if you look at what ISS has said, they are saying the problem actually either lies in their Application Intelligence (their psuedo-proxy type inspection engines) under SmartDefense OR the HTTP Security Server...

    Hmmm...guess need to dig further.


    EDIT: Talked to one of our reps and found some interesting information, waiting to talk to an engineer to confirm, but the scope may not be as big as ISS is implying...more to come.

    EDIT 2: Talked with their engineers, it does apply to the newest releases of AI and does effect both HTTP Security Server and HTTP AI.

    EDIT 3: Man I need to sleep, I misunderstood the engineer. Checkpoint has been able to confirm that an internal piece of their code, when using the HTTP Security server would cause an internal process to reset and does confirm this part of ISS' report. They are unable to confirm ISS's second claim and are denying that HTTP AI is vulnerable to the attack. They have stated that HTTP AI is not effected IF you do not have virus scanning turned on or strict enforcement of HTTP protocol in smart defense turned on.


    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Join Date
    Aug 2001

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts