SNI-21: Firewall-1 Security Advisory

Secure Networks Inc. (sni@SECURENETWORKS.COM)
Tue, 09 Dec 1997 16:57:38 -0700


###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.

Secure Networks Inc.

Security Advisory
December 9, 1997

Checkpoint Firewall-1 Security Advisory

This advisory addresses a security problem present in Checkpoint
Firewall-1 which allows unauthorized users to access the SNMP daemon
running on the firewall. This allows outsiders to obtain internal and
confidential information about the installation and operation of the
firewall and the network which it protects, without being traced.

Problem Description:

The default recommended configuration of Firewall-1 allows outside
users to obtain confidential operation and statistical information from
the Simple Network Management Protocol (SNMP) daemon.

Once obtained, this information can be used by potential intruders
to find vulnerabilities in the firewall or connected systems. In
addition, potential intruders can obtain statistics on the firewall's
operation. Finding software on the firewall with known vulnerabilities
can, in some cases, be exploited immediately to cause a Denial Of
Service (DOS) attack.

It is possible for people wishing to see the volume of traffic going
in and out of a target firewall's network to obtain this information
in a form that can be directly imported into any number of network
monitoring tools that can graph it by time of day.

Technical Details:

Firewall-1 makes use of the SNMP service on all platforms to obtain
information about the machine on which the firewall is running, and
to show the user real-time statistics about the firewall.

For those unfamiliar with the Firewall-1 user interface, the first
option available in the global properties dialog box is:

"Enable Firewall-1 Control Connections [Essential]" [1].

The word 'Essential' is contained in the user interface window itself,
causing unfamiliar users to be very reluctant to remove it since
they feel the vendor should know best about this.

The default configuration is to have this selected and marked "First" so
that it is evaluated BEFORE the rule-set defined by the firewall
administrator. Since Firewall-1 operations on a first-match rather
than a best-match principle, nothing in the rule-set overrides this.

The documentation makes it very clear that while this box is selected,
control connections required for use of the remote GUI are only allowed
if the IP address is listed in a specific text file. All other connection
attempts will be rejected. No mention is made of the fact that access is
allowed to the SNMP ports from any address. If access were restricted
to addresses that appear in the text file, this problem would be present
to a lesser degree, allowing an attacker to spoof UDP packets to set
variables, without needing to receive a reply.

The SNMP daemon reveals the version of the operating system and Firewall,
as well as the configuration of the security perimeter such as the presence
or absence of a service network (DMZ). The OS vendor's SNMP daemon will
generally make available information such as a list of all active
connections, a list of all running services and the entire routing table
(which if the firewall runs RIP contains a sizable amount of information).
Information such as the amount of traffic traveling on any given interface
can be useful for competitors gaining information on network traffic.

In addition to the standard MIB, various vendors make their own
information available via enterprise MIBs. As the referance section
to this advisory notes, this may be important for NT users of the
Checkpoint firewall [2].

Checkpoint has their own enterprise mib (enterprises.1919). This
provides other information useful to the potential intruder such as the
number of denied, dropped, allowed and logged packets as well as the
current state of the firewall. Provided as well, is the text of the last
SNMP trap generated.

To an intruder, the information obtained can in many cases point
them directly to a way in which they can gain remote access to the
protected network.

Access to the SNMP daemon is allowed in Rule-set 0 (properties)
no logging of these accesses is made.

Vulnerable Operating Systems and Software

All platforms running versions of Firewall-1 from Checkpoint where
the administrator has not disabled the "Enable Remote Connections"
option from the Properties, or has in some other way enabled access
to the SNMP server on the firewall.

Fix Information

Vendor Patch:

According to Checkpoint Software a patch for this problem is available via:

It should be noted that this URL is password protected and is only accessable
via Checkpoint authorized resellers.

Quick Fix:

Immediately unselect the "Enable Remote Connections" option.
Also, block all SNMP traffic at your border router (udp port 161).

If you absolutely require remote access, a qualified security
administrator can assist you in designing a policy that grants this
access in the regular rule-base. Please note that this suggestion is
not supported by Checkpoint and is provided within this advisory on an
'AS IS' basis. SNI (Secure Networks Inc.) accepts no liabilty for this
suggested fix, and end users should apply it only after consulting their
in-house security administrator.

Additional Information

The information provided in this advisory was provided to SNI
by Steve Birnbaum <>.


[1] Managing Firewall-1 Using the Windows GUI, figure 1-11.

[2] Bugtraq mailing list post concerning MIB enterprises.77

A recent post to a security mailing list by Christopher Rouland
( pointed out that the Microsoft lan-manager
enterprise MIB (enterprises.77) listed vast amounts of information that
should be heavily guarded.

This includes a list of running services and their state, a list of all
users that exist on the machine, any connected shares and the number of
failed password attempts among other things. Further, he found a certain
variable that could be set to 0 in Microsoft's enterprise mib which
resulted in a clearing of the WINS database. Giving such information
as the presence of any shares and the user list on a firewall is a
possibly disastrous breach of security.

Contacting Secure Networks Inc.

You can subscribe to our security advisory mailing list by sending
mail to, containing the single line:

subscribe sni-advisories

You can browse our web site at

You can contact Secure Networks Inc. at <> using
the following PGP key:

Type Bits/KeyID Date User ID
pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <>
Secure Networks <>

Version: 2.6.3ia


Copyright Notice

The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

Version: 2.6.2