[ISN] Firewall-1 Reserved Keywords Vulnerability

From: mea culpa (jerichoat_private)
Date: Wed May 13 1998 - 13:34:16 PDT

  • Next message: mea culpa: "[ISN] www.adidas.com hacked for MOD gang?"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.980513143351.17407Fat_private>
    Forwarded From: Aleph One <aleph1at_private>
    This vulnerability in Firewall-1 has been made public by CheckPoint
    but hasn't been well publicized.
    Most of this information is taken verbatim from the CheckPoint web page
    on this issue. You can find this page at
    If you use one of several reserved keywords to represent any user defined
    object in a rule the default definition of "ANY" will be used instead. 
    This behavior may grant (or deny) access to a greater number of addresses
    or services than expected.
    The following keywords should not be used to represent any user defined
    object in a FireWall-1 installation:
             Short, Long, Account, Alert, SnmpTrap, Mail, UserDefined, spoof,
             spoofalert, Auth, AuthAlert, Duplicate basewin, serviceswin,  
             netobjwin, viewwin, users, resources, time, true, false, last,  
             first, status_alert, fwalert
    If any of these keywords are used to represent either a network or a
    service object and are subsequently used in a security policy, FireWall-1
    will interpret the object definition as "undefined". If no other object is
    used either in the source/destination or service field of the rule, then
    the default address definition of "ANY" is used for that particular field.
    Note that in practice only objects in the "tracking" menu of type "alert"
    seem to behave this way. Objects such as "Long", of type "log", do not   
    show this behavior.
    If you have a rule that allows SMTP access to a machine called "Mail" on  
    your DMZ you are actually giving SMTP access to any machines behind the 
    If any of these keywords are defined as network objects or service objects
    and used in a rule base, then the object should be renamed and the
    security policy reloaded.
    Additional Notes
    Mechanisms are being built into future releases of FireWall-1 to prevent
    using these keywords as user defined objects.
    Aleph One / aleph1at_private
    KeyID 1024/948FD6B5
    Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:53:04 PDT