SX-20000620-3

`FSC Internet Corp. / SecureXpert Labs  
  
SecureXpert Labs Advisory [SX-20000620-3] - Partial Denial of  
Service in Check Point Firewall-1 on Windows NT  
  
Summary  
  
The SMTP Security Server component of Check Point Firewall-1 4.0 and 4.1 is  
vulnerable to a simple network-based attack which raises the firewall load to  
100%.  
  
Details  
  
Check Point Firewall-1 includes a component called the SMTP Security Server.  
This is an SMTP proxy, the use of which is required by several of Firewall-1's  
advanced SMTP email processing capabilities, including CVP-based virus  
scanning and URI filtering.  
  
The Check Point Firewall-1 SMTP Security Server in Firewall-1 4.0 and 4.1  
on Windows NT is vulnerable to a simple network-based attack which can increase  
the firewall's CPU utilization to 100%.  
  
Sending a stream of binary zeros over the network to the SMTP port on the firewall  
raises the target system's load to 100% while the load on the attacker's  
system machine remains relatively low. This can easily be reproduced from  
a Linux system using netcat with an input of /dev/zero, with a command such as  
"nc firewall 25 < /dev/zero".  
  
This vulnerability could allow a very quick and easy distributed attack  
on Check Point Firewall-1.  
  
Status  
  
Check Point Software Technologies has been informed of this vulnerability, and  
has assigned it incident ID# TT44913. As of June 20, 2000 Check Point  
has stated that a fix for this vulnerability will NOT be included in Service  
Pack 2 (SP-2) for Check Point firewall-1 4.1, but it will "probably be included  
in SP-3".  
  
Credits  
  
Mike Murray, SecureXpert Labs  
Max Degtyar, SecureXpert Labs  
Richard Reiner, SecureXpert Labs  
  
About SecureXpert DIRECT  
  
SecureXpert DIRECT is an advance security advisory service provided by  
SecureXpert Labs. Subscriptions are free of charge and may be obtained  
online at http://www.securexpert.com/services.html.  
  
`