Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Checkpoint VPN-1 PAT information disclosure

🗓️ 05 Nov 2008 00:00:00Reported by (c) Tim Brown and Portcullis Computer Security Ltd, 2008Type 
openvas
 openvas🔗 plugins.openvas.org👁 37 Views

Checkpoint VPN-1 PAT information disclosure. Crafted packets to mapped ports on firewall can disclose internal network details including internal IP addresses through resulting ICMP error packets. Mitigate by disabling implied rules and filtering outbound ICMP TTL exceeded packets

Related
Refs
Code
ReporterTitlePublishedViews
Family
CheckPoint Security		Check Point response to "VPN-1 PAT information disclosure" vulnerability (CVE-2008-5849)
17 Nov 200822:00
checkpoint_security
CVE		CVE-2008-5849
6 Jan 200917:00
cve
Cvelist		CVE-2008-5849
6 Jan 200917:00
cvelist
EUVD		EUVD-2008-5819
7 Oct 202500:30
euvd
NVD		CVE-2008-5849
6 Jan 200917:30
nvd
OpenVAS		Check Point VPN-1 PAT Information Disclosure Vulnerability - Active Check
5 Nov 200800:00
openvas
Prion		Code injection
6 Jan 200917:30
prion
seebug.org		Checkpoint VPN-1 PAT信息泄露漏洞
7 Jan 200900:00
seebug
SourceLink
portcullis-securitywww.portcullis-security.com/293.php
# OpenVAS Vulnerability Test
# $Id: checkpoint-vpn1-pat-information-disclosure.nasl 8078 2017-12-11 14:28:55Z cfischer $
# Description: Checkpoint VPN-1 PAT information disclosure
#
# Authors:
# Tim Brown <[email protected]>
#
# Fixes (+note about FP): Vlatko Kosturjak <[email protected]>
#
# Copyright:
# Copyright (c) 2008 Tim Brown and Portcullis Computer Security Ltd
# Text descriptions are largerly excerpted from the referenced
# advisory, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

tag_summary = "Checkpoint VPN-1 PAT information disclosure

By sending crafted packets to ports on the firewall which are mapped by port address translation (PAT) to ports on internal devices, information about the internal network may be disclosed in the resulting ICMP error packets. Port 18264/tcp on the firewall is typically configured in such a manner, with packets to this port being rewritten to reach the firewall management server.  For example, the firewall fails to correctly sanitise the encapsulated IP headers in ICMP time-to-live exceeded packets resulting in internal IP addresses being disclosed.

On the following platforms, we recommend you mitigate in the described manner:
Checkpoint VPN-1 R55
Checkpoint VPN-1 R65

We recommend you mitigate in the following manner:
Disable any implied rules and only open ports for required services
Filter outbound ICMP time-to-live exceeded packets";

tag_solution = "We are not aware of a vendor approved solution at the current time.

False positive:
This could be false positive alert. Try running same scan against single host 
where this vulnerability is reported.";

if (description)
{
	script_id(80096);
	script_version("$Revision: 8078 $");
	script_tag(name:"last_modification", value:"$Date: 2017-12-11 15:28:55 +0100 (Mon, 11 Dec 2017) $");
	script_tag(name:"creation_date", value:"2008-11-05 16:59:22 +0100 (Wed, 05 Nov 2008)");
    script_tag(name:"cvss_base", value:"5.0");
    script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
	script_cve_id("CVE-2008-5849");
	name = "Checkpoint VPN-1 PAT information disclosure";
	script_name(name);
	script_category(ACT_GATHER_INFO);
  script_tag(name:"qod_type", value:"remote_vul");
	family = "Firewalls";
	script_family(family);
	copyright = "(c) Tim Brown and Portcullis Computer Security Ltd, 2008";
	script_copyright(copyright);
	script_require_ports(264);
 script_tag(name : "solution" , value : tag_solution);
 script_tag(name : "summary" , value : tag_summary);
 script_xref(name : "URL" , value : "http://www.portcullis-security.com/293.php");
 script_exclude_keys("keys/TARGET_IS_IPV6");
	exit(0);
}

include("host_details.inc");

if(TARGET_IS_IPV6())exit(0);

## Constant values
SCRIPT_OID  = "1.3.6.1.4.1.25623.1.0.80096";
SCRIPT_DESC = "Checkpoint VPN-1 PAT information disclosure";

## functions for script
function packet_construct(_ip_src, _ip_ttl)
{
	_ip_id = rand() % 65535;
	_th_sport = (rand() % 64000) + 1024;
	_ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0, ip_id:_ip_id, ip_len:20, ip_off:0, ip_p:IPPROTO_TCP, ip_src:_ip_src, ip_ttl:_ip_ttl);
	_tcp = forge_tcp_packet(ip:_ip, th_sport:_th_sport, th_dport:18264, th_flags:TH_SYN, th_seq:_ip_ttl, th_ack:0, th_x2:0, th_off:5, th_win:2048, th_urp:0);
	return _tcp;
}

function packet_parse(_icmp, _ip_dst, _ttl)
{
	_ip = get_icmp_element(icmp:_icmp, element:"data");
	_ip_p = get_ip_element(ip:_ip, element:"ip_p");
	_ip_dst2 = get_ip_element(ip:_ip, element:"ip_dst");
	_ip_hl = get_ip_element(ip:_ip, element:"ip_hl");
	_tcp = substr(_ip, (_ip_hl * 4), strlen(_ip));
	_ih_dport = (ord(_tcp[2]) * 256) + ord(_tcp[3]);
	_data="";
	if ((_ip_p == IPPROTO_TCP) && (_ip_dst2 != _ip_dst) && (_ih_dport == 18264))
	{
		_data = "Internal IP disclosed: " + _ip_dst2 + " (ttl: "+_ttl+")
";
		set_kb_item(name:"Checkpoint/Manager/ipaddress", value:_ip_dst2);
                register_host_detail(name:"App", value:"cpe:/a:checkpoint:vpn-1", desc:SCRIPT_DESC);

	}
	return _data;
}

## start script
if (islocalhost())
{
	exit(0);
}
port=264;
if (!get_port_state(port)) 
{
	exit(0);
}

sourceipaddress = this_host();
destinationipaddress = get_host_ip();
packetfilter = "dst host " + sourceipaddress + " and icmp and (icmp[0]=11)";
reportout="";
for (ttl = 1; ttl <= 50; ttl ++)
{
	requestpacket = packet_construct(_ip_src:sourceipaddress, _ip_ttl:ttl);
	responsepacket = send_packet(requestpacket, pcap_active:TRUE, pcap_filter:packetfilter, pcap_timeout:1);
	if (responsepacket)
	{
		reportdata=packet_parse(_icmp:responsepacket, _ip_dst:destinationipaddress, _ttl:ttl);
		reportout=reportout+reportdata;
	}
}

if (reportout != "") {
	reportheading="

Disclosures:
";
	wholereport=reportheading + reportout;

	security_message(protocol:"tcp", port:18264, data:wholereport);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Dec 2017 00:00Current
EPSS0.00516
checkpoint vpn-1patinformation disclosurecrafted packetsfirewallinternal networkicmp errorinternal ip addressesfirewall managementmitigationimplied rulesoutbound packetsttl exceeded
37