Lucene search

K
certCERTVU:258731
HistoryOct 08, 2001 - 12:00 a.m.

Check Point VPN-1/FireWall-1 4.1 on Nokia IPXXX firewall appliance retransmits original packets

2001-10-0800:00:00
www.kb.cert.org
68

AI Score

6.8

Confidence

Low

Overview

A vulnerability in Check Point VPN-1/FireWall-1 running on Nokia IPXXX Appliances can allow an attacker to pass traffic allowed by the security policy through the firewall while retaining the external (untranslated) destination IP address.

Description

Nokia IPXXX Appliances are security devices meant to perform a variety of functions such as Network Address Translation (NAT). NAT provides a way to hide the IP addresses of a private network from the Internet while still allowing computers on that network to access the Internet. NAT can be used in many different ways, but one method frequently used is called “masquerading”. Using NAT masquerading, one or more devices on a LAN can be made to appear as a single IP address to the outside Internet. In Check Point VPN-1/FireWall-1, this is referred to as “NAT Hide.” This allows for multiple computers in a network to connect to the Internet without requiring the ISP to provide more than one IP address to the organization. Under certain conditions, Nokia Appliances will pass packets which are accepted by the security policy defined in the VPN-1/FireWall-1 rule base without rewriting the destination IP address on the packet. This occurs on a small percentage of packets - only the third packet of a TCP three-way handshake - and only if SYN Defender is configured in Active Gateway mode. Specifically, the appliance will pass a correctly translated packet to the locally attached subnet (locally meaning that the internal appliance interface and destination host are in the same collision domain), then retransmit the packet with the original, untranslated IP address. Inspection of the packet on the internal side of the appliance interface will reveal that the destination header of the packet contains the outside interface address and not the internal NAT’d address.Nokia Firewall Appliances running the following software
configurations are vulnerable:

- - IPSO v3.3 and VPN-1/FireWall-1 4.1 Service Pack 3
- - IPSO v3.4 and VPN-1/FireWall-1 4.1 Service Pack 4
- - IPSO v3.4 or IPSO v3.4.1 and VPN-1/FireWall-1 4.1 Service Pack 5

Impact

The impact of this vulnerability is that an attacker can pass valid data which is allowed by the rulebase through your firewall with the external IP address preserved in the destination field of the packet. Note that the standard IP spoofing protection afforded by the gateway still applies, so it is not possible to use this issue in conjunction with an attack based on a spoofed internal IP address. Note also that an attacker would not be able to directly address hosts behind the firewall.

Solution

Check Point and Nokia are working jointly to resolve this issue, and further information will be posted when available. The issue will be corrected
shortly in an updated release of VPN-1/FireWall-1 4.1 Service Pack 5.

* Enable SYN-Defender in Passive Gateway Mode
* Disable SYN-Defender

Vendor Information

258731

Filter by status: All Affected Not Affected Unknown

Filter by content: __Additional information available

__Sort by: Status Alphabetical

Expand all

Javascript is disabled. Clickhere to view vendors.

Check Point __ Affected

Notified: September 14, 2001 Updated: September 27, 2001

Status

Affected

Vendor Statement

Please see http://www.checkpoint.com/techsupport/alerts/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia Affected

Updated: August 16, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC thanks Steve Rogers for reporting this vulnerability. The CERT/CC also thanks Check Point and Nokia for their assistance in understanding this issue.

This document was written by Ian A. Finlay

Other Information

CVE IDs: None
Severity Metric: 0.38 Date Public:

AI Score

6.8

Confidence

Low