[ISN] US-CERT Technical Cyber Security Alert TA04-036A -- HTTP Parsing Vulnerabilities in Check Point Firewall-1

From: InfoSec News (isn@private)
Date: Fri Feb 06 2004 - 00:28:50 PST

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary - Issue: 2004-6"

    Forwarded from: US-CERT <alert@us-cert.gov>
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    HTTP Parsing Vulnerabilities in Check Point Firewall-1
    
       Original release date: February 05, 2004
       Last revised: --
       Source: US-CERT
    
       A complete revision history can be found at the end of this file.
    
    Systems Affected
    
         * Check Point Firewall-1 NG FCS
         * Check Point Firewall-1 NG FP1
         * Check Point Firewall-1 NG FP2
         * Check Point Firewall-1 NG FP3, HF2
         * Check Point Firewall-1 NG with Application Intelligence R54
         * Check Point Firewall-1 NG with Application Intelligence R55
    
    Overview
    
       Several versions of Check Point Firewall-1 contain a vulnerability that
       allows remote attackers to execute arbitrary code with administrative
       privileges. This allows the attacker to take control of the firewall,
       and in some cases, to also control the server it runs on.
    
    I. Description
    
       The Application Intelligence (AI) component of Check Point Firewall-1
       is an application proxy that scans traffic for application layer
       attacks once it has passed through the firewall at the network level.
       Earlier versions of Firewall-1 include the HTTP Security Server, which
       provides similar functionality.
    
       Both the AI and HTTP Security Server features contain an HTTP parsing
       vulnerability that is triggered by sending an invalid HTTP request
       through the firewall. When Firewall-1 generates an error message in
       response to the invalid request, a portion of the input supplied by the
       attacker is included in the format string for a call to sprintf().
    
       Researchers at Internet Security Systems have determined that it is
       possible to exploit this format string vulnerability to execute
       commands on the firewall. The researchers have also determined that
       this vulnerability can be exploited as a heap overflow, which would
       allow an attacker to execute arbitrary code. In either case, the
       commands or code executed by the attacker would run with administrative
       privileges, typically "SYSTEM" or "root". For more information, please
       see the ISS advisory at:
    
              http://xforce.iss.net/xforce/alerts/id/162
    
       The CERT/CC is tracking this issue as VU#790771. This reference number
       corresponds to CVE candidate CAN-2004-0039.
    
    II. Impact
    
       This vulnerability allows remote attackers to execute arbitrary code on
       affected firewalls with administrative privileges, typically "SYSTEM"
       or "root". Failed attempts to exploit this vulnerability may cause the
       firewall to crash.
    
    III. Solution
    
       Apply the patch from Check Point
    
       Check Point has published a "Firewall-1 HTTP Security Server Update"
       that modifies the error return strings used when an invalid HTTP
       request is detected. For more information, please see the Check Point
       bulletin at:
    
         http://www.checkpoint.com/techsupport/alerts/security_server.html
    
       This update prevents attackers from using several known error strings
       to exploit this vulnerability. It is unclear at this time whether there
       are other attack vectors that may still allow exploitation of the
       underlying software defect.
    
       Disable the affected components
    
       Check Point has reported that their products are only affected by this
       vulnerability if the HTTP Security Servers feature is enabled.
       Therefore, affected sites may be able to limit their exposure to this
       vulnerability by disabling HTTP Security Servers or the Application
       Intelligence component, as appropriate.
         _________________________________________________________________
    
       This vulnerability was discovered and researched by Mark Dowd of ISS
       X-Force.
         _________________________________________________________________
    
       This document was written by Jeffrey P. Lanza.
         _________________________________________________________________
    
       This document is available from:
       http://www.us-cert.gov/cas/techalerts/TA04-036A.html
         _________________________________________________________________
    
       Copyright 2004 Carnegie Mellon University.
    
       Revision History
       Feb 05, 2004:  Initial release
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)
    
    iD8DBQFAIsBMXlvNRxAkFWARApI0AKD4vWl9qb4hYtEr+zlkUScaY3PFcwCfRXcG
    pglRULK2zVbnACsvG9+BEog=
    =6SAE
    -----END PGP SIGNATURE-----
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Feb 06 2004 - 03:06:02 PST