[ISN] CERT warns firewall leaves open door to attackers

From: InfoSec News (isnat_private)
Date: Tue Jul 10 2001 - 01:54:48 PDT

  • Next message: InfoSec News: "[ISN] Microsoft to tap VeriSign for security"

    Tuesday 10 July, 2001 09:46 GMT+10:00
    A United States-based network security watchdog has warned of a
    security hole in firewall software that will give an attacker access
    to the system and could lead to a denial of service attack.
    An advisory from CERT overnight said Check Point VPN1 and FireWall1
    Version 4.1 software contained a vulnerability that may allow an
    intruder to pass traffic through the firewall on port 259/UDP.
    The advisory said FireWall1 and VPN1 do not provide adequate security
    controls for RDP (reliable data protocol), a protocol designed to
    provide a reliable data transport service for packetbased applications
    such as remote loading and debugging, and supported by the firewall
    The company that discovered the security hole, Inside Security GmbH
    said an attacker could add a faked RDP header to normal UDP traffic,
    allowing any content to be passed to port 259 on any remote host on
    either side of the firewall.
    "Although the CERT/CC has not seen any incident activity related to
    this vulnerability, we do recommend that all affected sites upgrade
    their Check Point software as soon as possible," the advisory from
    CERT says.
    "If an intruder can gain control of a host inside the firewall, he may
    be able to use this vulnerability to tunnel arbitrary traffic across
    the firewall boundary.
    "Additionally, even if an intruder does not have control of a host
    inside the firewall, he may be able to use this vulnerability as a
    means of exploiting another vulnerability in software listening
    passively on the internal network," it says.
    CERT said an intruder may be able to use this vulnerability to launch
    certain kinds of denialofservice attacks.
    The advisory recommends that routers be configured to block access to
    port 259/UDP until a patch is applied from
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 02:16:41 PDT