HTTP Parsing Vulnerabilities in Check Point Firewall-1
Original release date: February 05, 2004
Last revised: February 06, 2004
Source: US-CERT
Systems Affected
- Check Point Firewall-1 NG FCS
- Check Point Firewall-1 NG FP1
- Check Point Firewall-1 NG FP2
- Check Point Firewall-1 NG FP3, HF2
- Check Point Firewall-1 NG with Application Intelligence R54
- Check Point Firewall-1 NG with Application Intelligence R55
Overview
Several versions of Check Point Firewall-1 contain a vulnerability that
allows remote attackers to execute arbitrary code with administrative
privileges. This allows the attacker to take control of the firewall and
the server it runs on.
I. Description
The Application Intelligence (AI) component of Check Point Firewall-1
is an application proxy that scans traffic for application layer attacks
once it has passed through the firewall at the network level. Earlier
versions of Firewall-1 include the HTTP Security Server, which provides
similar functionality.
Both the AI and HTTP Security Server features contain an HTTP parsing
vulnerability that is triggered by sending an invalid HTTP request through
the firewall. When Firewall-1 generates an error message in response to
the invalid request, a portion of the input supplied by the attacker is
included in the format string for a call to sprintf().
Researchers at Internet Security
Systems have determined that it is possible to exploit this format
string vulnerability to execute commands on the firewall. The researchers
have also determined that this vulnerability can be exploited as a heap
overflow, which would allow an attacker to execute arbitrary code. In
either case, the commands or code executed by the attacker would run with
administrative privileges, typically "SYSTEM" or "root". For more
information, please see the ISS advisory at:
- http://xforce.iss.net/xforce/alerts/id/162
The CERT/CC is tracking this issue as VU#790771. This
reference number corresponds to CVE candidate CAN-2004-0039.
II. Impact
This vulnerability allows remote attackers to execute arbitrary code on
affected firewalls with administrative privileges, typically "SYSTEM" or
"root".
III. Solution
Apply the patch from Check Point
Check Point has published a "Firewall-1 HTTP Security Server Update"
that modifies the error return strings used when an invalid HTTP request
is detected. For more information, please see the Check Point bulletin
at:
- http://www.checkpoint.com/techsupport/alerts/security_server.html
Disable the affected components
Check Point has reported that their products are only affected by this
vulnerability if the HTTP Security Servers feature is enabled. Therefore,
affected sites may be able to limit their exposure to this vulnerability
by disabling HTTP Security Servers or the Application Intelligence
component, as appropriate.
This vulnerability was discovered and researched by Mark Dowd of ISS
X-Force.
This document was written by Jeffrey
P. Lanza.
This document is available from http://www.us-cert.gov/cas/techalerts/TA04-036A.html
Copyright 2004 Carnegie Mellon University. Terms of use
Revision History
02/05/2004: Initial release
02/06/2004: Updated Solution section
02/06/2004: Updated Overview and Impact sections
Mailing Lists & Feeds
Get Adobe Reader
US-CERT is part of the Department of Homeland Security