A vulnerability in Check Point VPN-1/FireWall-1 running on Nokia IPXXX Appliances can allow an attacker to pass traffic allowed by the security policy through the firewall while retaining the external (untranslated) destination IP address.
Nokia IPXXX Appliances are security devices meant to perform a variety of functions such as Network Address Translation (NAT). NAT provides a way to hide the IP addresses of a private network from the Internet while still allowing computers on that network to access the Internet. NAT can be used in many different ways, but one method frequently used is called “masquerading”. Using NAT masquerading, one or more devices on a LAN can be made to appear as a single IP address to the outside Internet. In Check Point VPN-1/FireWall-1, this is referred to as “NAT Hide.” This allows for multiple computers in a network to connect to the Internet without requiring the ISP to provide more than one IP address to the organization. Under certain conditions, Nokia Appliances will pass packets which are accepted by the security policy defined in the VPN-1/FireWall-1 rule base without rewriting the destination IP address on the packet. This occurs on a small percentage of packets - only the third packet of a TCP three-way handshake - and only if SYN Defender is configured in Active Gateway mode. Specifically, the appliance will pass a correctly translated packet to the locally attached subnet (locally meaning that the internal appliance interface and destination host are in the same collision domain), then retransmit the packet with the original, untranslated IP address. Inspection of the packet on the internal side of the appliance interface will reveal that the destination header of the packet contains the outside interface address and not the internal NAT’d address.Nokia Firewall Appliances running the following software
configurations are vulnerable:
* Enable SYN-Defender in Passive Gateway Mode
* Disable SYN-Defender
258731
Filter by status: All Affected Not Affected Unknown
Filter by content: __Additional information available
__Sort by: Status Alphabetical
Expand all
Javascript is disabled. Clickhere to view vendors.
Notified: September 14, 2001 Updated: September 27, 2001
Affected
Please see http://www.checkpoint.com/techsupport/alerts/
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Updated: August 16, 2001
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
The CERT/CC thanks Steve Rogers for reporting this vulnerability. The CERT/CC also thanks Check Point and Nokia for their assistance in understanding this issue.
This document was written by Ian A. Finlay
CVE IDs: | None |
---|---|
Severity Metric: | 0.38 Date Public: |