logo
DATABASE RESOURCES PRICING ABOUT US

IP Fragmentation Denial-of-Service Vulnerability in FireWall-1

Description

### Overview A large stream of IP traffic can monopolize the CPU of a Check Point FireWall-1 firewall, resulting in a denial-of-service condition. ### Description A denial-of-service vulnerability has been discovered in the FireWall-1 product from Check Point Software Technologies. Check Point has tested versions 4.0 and 4.1 of the product and has confirmed that both are affected. Check Point reports that earlier versions have been designated "End of Life" and are no longer supported. Thus, versions earlier than 4.0 have not been tested. This vulnerability can be exploited by sending a stream of large IP fragments to the firewall. As the fragments arrive, the mechanism used to log IP fragmentation anomalies can monopolize the CPU on the host machine and prevent further traffic from passing through the firewall. FireWall-1 filters packets by comparing them to a rule-base after the fragments have been reassembled. This is essential to preventing fragments from getting past the firewall in violation of the rule-base. Because this attack uses legally formed fragments and consumes CPU time prior to the packet being completely reassembled, it is not possible for FireWall-1 to drop these fragments based on the contents of its rule-base. --- ### Impact An attacker who exploits this vulnerability can monopolize the CPU of a FireWall-1 firewall, rendering it incapable of processing any incoming or outgoing traffic. Attackers are not able to pass packets or fragments that would be filtered out under normal circumstances, nor are they able to gain privileged access to the firewall or its host system. --- ### Solution **From Checkpoint:** "Check Point is in the process of building new kernel binaries that will modify the mechanism by which fragment events are written to the host system console, as well as providing configurable options as to how often to log. In addition and independent of the console message writing, with the new binaries FireWall-1 administrators will be able use the Check Point log file method for reporting fragmentation events. These binaries will be released shortly in Service Pack 2 of FireWall-1 version 4.1, for 4.1 users, and as a Service Pack 6 Hot Fix for FireWall-1 version 4.0 users." --- **Workaround:** As an interim workaround, customers can disable the console logging, thereby mitigating this issue by using the following command line on their Fire-Wall 1 module(s): $FWDIR/bin/fw ctl debug -buf For further information regarding this vulnerability and the above solution, please visit: [_http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html_](<http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html>) --- ### Vendor Information 35958 Filter by status: All Affected Not Affected Unknown Filter by content: __ Additional information available __ Sort by: Status Alphabetical Expand all **Javascript is disabled. Click here to view vendors.** ### Check Point Affected Updated: January 11, 2001 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information The vendor has not provided us with any further information regarding this vulnerability. ### Addendum The CERT/CC has no additional comments at this time. If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2335958 Feedback>). ### CVSS Metrics Group | Score | Vector ---|---|--- Base | | Temporal | | Environmental | | ### References * <http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html> * <http://www.securityfocus.com/bid/1312> * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0482> ### Acknowledgements This vulnerability was discovered by Lance Spitzner and was reported to the Bugtraq mailing list on June 5, 2000. This document was written by Jeffrey P. Lanza. ### Other Information **CVE IDs:** | [CVE-2000-0482](<http://web.nvd.nist.gov/vuln/detail/CVE-2000-0482>) ---|--- **Severity Metric:** | 11.77 **Date Public:** | 2000-06-05 **Date First Published:** | 2000-09-26 **Date Last Updated: ** | 2001-04-05 21:20 UTC **Document Revision: ** | 6


Related