###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.
Secure Networks Inc.
Security Advisory
December 9, 1997
Checkpoint Firewall-1 Security Advisory
This advisory addresses a security problem present in Checkpoint
Firewall-1 which allows unauthorized users to access the SNMP daemon
running on the firewall. This allows outsiders to obtain internal and
confidential information about the installation and operation of the
firewall and the network which it protects, without being traced.
Problem Description:
~~~~~~~~~~~~~~~~~~~~
The default recommended configuration of Firewall-1 allows outside
users to obtain confidential operation and statistical information from
the Simple Network Management Protocol (SNMP) daemon.
Once obtained, this information can be used by potential intruders
to find vulnerabilities in the firewall or connected systems. In
addition, potential intruders can obtain statistics on the firewall's
operation. Finding software on the firewall with known vulnerabilities
can, in some cases, be exploited immediately to cause a Denial Of
Service (DOS) attack.
It is possible for people wishing to see the volume of traffic going
in and out of a target firewall's network to obtain this information
in a form that can be directly imported into any number of network
monitoring tools that can graph it by time of day.
Technical Details:
~~~~~~~~~~~~~~~~~~
Firewall-1 makes use of the SNMP service on all platforms to obtain
information about the machine on which the firewall is running, and
to show the user real-time statistics about the firewall.
For those unfamiliar with the Firewall-1 user interface, the first
option available in the global properties dialog box is:
"Enable Firewall-1 Control Connections [Essential]" [1].
The word 'Essential' is contained in the user interface window itself,
causing unfamiliar users to be very reluctant to remove it since
they feel the vendor should know best about this.
The default configuration is to have this selected and marked "First" so
that it is evaluated BEFORE the rule-set defined by the firewall
administrator. Since Firewall-1 operations on a first-match rather
than a best-match principle, nothing in the rule-set overrides this.
The documentation makes it very clear that while this box is selected,
control connections required for use of the remote GUI are only allowed
if the IP address is listed in a specific text file. All other connection
attempts will be rejected. No mention is made of the fact that access is
allowed to the SNMP ports from any address. If access were restricted
to addresses that appear in the text file, this problem would be present
to a lesser degree, allowing an attacker to spoof UDP packets to set
variables, without needing to receive a reply.
The SNMP daemon reveals the version of the operating system and Firewall,
as well as the configuration of the security perimeter such as the presence
or absence of a service network (DMZ). The OS vendor's SNMP daemon will
generally make available information such as a list of all active
connections, a list of all running services and the entire routing table
(which if the firewall runs RIP contains a sizable amount of information).
Information such as the amount of traffic traveling on any given interface
can be useful for competitors gaining information on network traffic.
In addition to the standard MIB, various vendors make their own
information available via enterprise MIBs. As the referance section
to this advisory notes, this may be important for NT users of the
Checkpoint firewall [2].
Checkpoint has their own enterprise mib (enterprises.1919). This
provides other information useful to the potential intruder such as the
number of denied, dropped, allowed and logged packets as well as the
current state of the firewall. Provided as well, is the text of the last
SNMP trap generated.
To an intruder, the information obtained can in many cases point
them directly to a way in which they can gain remote access to the
protected network.
Access to the SNMP daemon is allowed in Rule-set 0 (properties)
no logging of these accesses is made.
Vulnerable Operating Systems and Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
All platforms running versions of Firewall-1 from Checkpoint where
the administrator has not disabled the "Enable Remote Connections"
option from the Properties, or has in some other way enabled access
to the SNMP server on the firewall.
Fix Information
~~~~~~~~~~~~~~~
Vendor Patch:
According to Checkpoint Software a patch for this problem is available via:
http://www.checkpoint.com/support
It should be noted that this URL is password protected and is only accessable
via Checkpoint authorized resellers.
Quick Fix:
Immediately unselect the "Enable Remote Connections" option.
Also, block all SNMP traffic at your border router (udp port 161).
If you absolutely require remote access, a qualified security
administrator can assist you in designing a policy that grants this
access in the regular rule-base. Please note that this suggestion is
not supported by Checkpoint and is provided within this advisory on an
'AS IS' basis. SNI (Secure Networks Inc.) accepts no liabilty for this
suggested fix, and end users should apply it only after consulting their
in-house security administrator.
Additional Information
~~~~~~~~~~~~~~~~~~~~~~
The information provided in this advisory was provided to SNI
by Steve Birnbaum <sbirn@security.org.il>.
References
~~~~~~~~~~
[1] Managing Firewall-1 Using the Windows GUI, figure 1-11.
[2] Bugtraq mailing list post concerning MIB enterprises.77
A recent post to a security mailing list by Christopher Rouland
(CRouland@EXAMNYC.lehman.com) pointed out that the Microsoft lan-manager
enterprise MIB (enterprises.77) listed vast amounts of information that
should be heavily guarded.
This includes a list of running services and their state, a list of all
users that exist on the machine, any connected shares and the number of
failed password attempts among other things. Further, he found a certain
variable that could be set to 0 in Microsoft's enterprise mib which
resulted in a clearing of the WINS database. Giving such information
as the presence of any shares and the user list on a firewall is a
possibly disastrous breach of security.
Contacting Secure Networks Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can subscribe to our security advisory mailing list by sending
mail to majordomo@secnet.com, containing the single line:
subscribe sni-advisories
You can browse our web site at http://www.secnet.com
You can contact Secure Networks Inc. at <sni@secnet.com> using
the following PGP key:
Type Bits/KeyID Date User ID
pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com>
Secure Networks <security@secnet.com>
- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
- - -----END PGP PUBLIC KEY BLOCK-----
Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNI3ehbgIhFKeVQANAQFynQP/fWyuQA0Q5mS6uVw4aFaz+uKxIX7oZ+jY
ei0+UsnvNllOEIiG/azCRfH277iqOae6vyH/oCiu2dWMtx7t1PYPVlcYo1KZyg6N
764Y1VakjGTz+/Gvw7edwFit5PWcphzFuWUO0uhobZUZeXm8qh89BFAO4JlJTdsg
stxVEGHmj88=
=kr0g
-----END PGP SIGNATURE-----