Checkpoint VPN-1 PAT信息泄露漏洞

CVE(CAN) ID: CVE-2008-5849

CheckPoint防火墙/VPN解决方案可为组织提供网络架构和信息安全保护。

对于启用了端口地址翻译（PAT）的CheckPoint VPN-1防火墙，如果远程攻击者向防火墙的18264/tcp端口发送设置有很低TTL值的报文的话，就可以触发ICMP_TIMXCEED_INTRANS响应，而响应的封装IP报文中包含有内部IP地址，如下所示：

14:56:25.169480 IP (tos 0xe0, ttl 255, id 21407, offset 0, flags [none], proto: ICMP (1), length: 68) 193.0.0.1 > 194.0.0.1: ICMP time exceeded in-transit, length 48

IP (tos 0x0, ttl 1, id 5120, offset 0, flags [none], proto: TCP (6), length: 40) 194.0.0.1.9003 > 10.0.0.99.18264: S, cksum 0x03e6 (correct), 2834356043:2834356043(0) win 512

Check Point Software VPN-1 R65
Check Point Software VPN-1 R55
厂商补丁：

Check Point Software

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

<a href=“http://downloads.checkpoint.com/dc/download.htm?ID=8606” target=“_blank”>http://downloads.checkpoint.com/dc/download.htm?ID=8606</a>
<a href=“http://downloads.checkpoint.com/dc/download.htm?ID=8607” target=“_blank”>http://downloads.checkpoint.com/dc/download.htm?ID=8607</a>
<a href=“http://downloads.checkpoint.com/dc/download.htm?ID=8608” target=“_blank”>http://downloads.checkpoint.com/dc/download.htm?ID=8608</a>
<a href=“http://downloads.checkpoint.com/dc/download.htm?ID=8609” target=“_blank”>http://downloads.checkpoint.com/dc/download.htm?ID=8609</a>