Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. This allows the attacker to take control of the firewall and the server it runs on.
The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks once it has passed through the firewall at the network level. Earlier versions of Firewall-1 include the HTTP Security Server, which provides similar functionality.
Both the AI and HTTP Security Server features contain an HTTP parsing vulnerability that is triggered by sending an invalid HTTP request through the firewall. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf().
Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. The researchers have also determined that this vulnerability can be exploited as a heap overflow, which would allow an attacker to execute arbitrary code. In either case, the commands or code executed by the attacker would run with administrative privileges, typically “SYSTEM” or “root”. For more information, please see the ISS advisory at:
http://xforce.iss.net/xforce/alerts/id/162
The CERT/CC is tracking this issue as VU#790771. This reference number corresponds to CVE candidate CAN-2004-0039.
This vulnerability allows remote attackers to execute arbitrary code on affected firewalls with administrative privileges, typically “SYSTEM” or “root”.
Check Point has published a “Firewall-1 HTTP Security Server Update” that modifies the error return strings used when an invalid HTTP request is detected. For more information, please see the Check Point bulletin at:
http://www.checkpoint.com/techsupport/alerts/security_server.html
Check Point has reported that their products are only affected by this vulnerability if the HTTP Security Servers feature is enabled. Therefore, affected sites may be able to limit their exposure to this vulnerability by disabling HTTP Security Servers or the Application Intelligence component, as appropriate.
This vulnerability was discovered and researched by Mark Dowd of ISS X-Force.
This document was written by Jeffrey P. Lanza.
This document is available from http://www.us-cert.gov/cas/techalerts/TA04-036A.html
02/05/2004: Initial release
02/06/2004: Updated Solution section
02/06/2004: Updated Overview and Impact sections
Last updated
Systems Affected Systems running Microsoft Windows Overview Microsoft Windows contains multiple vulnerabilities,…
Systems Affected Systems running Microsoft Office XP and Outlook 2002 Overview There…
Systems Affected Applications and systems that use the OpenSSL SSL/TLS library Overview …
Systems Affected Continuing Threats to Home Users View Previous Alerts Alert (SA04-079A) Continuing Threats…
Systems Affected Microsoft Windows systems Overview A cross-domain vulnerability in the Outlook…
Systems Affected Systems running Microsoft Windows Overview There are multiple vulnerabilities in…
This website uses cookies.