HTTP Parsing Vulnerabilities in Check Point Firewall-1

Overview

Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges.

Description

The HTTP Security Servers component of Check Point Firewall-1 contains an HTTP parsing vulnerability that is triggered by sending an invalid HTTP request through the firewall. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf().

Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. The researchers have also determined that this vulnerability can be exploited as a heap overflow, which would allow an attacker to execute arbitrary code. In either case, the commands or code executed by the attacker would run with administrative privileges, typically “SYSTEM” or “root”. For more information, please see the ISS advisory.

---

Impact

This vulnerability allows remote attackers to execute arbitrary code on affected firewalls with administrative privileges, typically “SYSTEM” or “root”.

---

Solution

Apply the patch from Check Point

Check Point has published a “Firewall-1 HTTP Security Server Update” to address this vulnerability. For more information, please see the Check Point bulletin at:

http://www.checkpoint.com/techsupport/alerts/security_server.html

---

Disable the affected components

Check Point has reported that their products are only affected by this vulnerability if the HTTP Security Servers feature is enabled. Therefore, affected sites may be able to limit their exposure to this vulnerability by disabling HTTP Security Servers.

---

Vendor Information

790771

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Check Point Affected

Notified: February 02, 2004 Updated: February 06, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23790771 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.checkpoint.com/techsupport/alerts/security_server.html&gt;
• <http://xforce.iss.net/xforce/alerts/id/162&gt;
• <http://xforce.iss.net/xforce/xfdb/14149&gt;
• <http://www.secunia.com/advisories/10794/&gt;

Acknowledgements

This vulnerability was discovered and researched by Mark Dowd of ISS X-Force.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs:	CVE-2004-0039
Severity Metric:	17.10 Date Public: