Re: Two checkpoint fw-1/vpn-1 vulns
On Thu, 5 Feb 2004, [iso-8859-1] Bj?rnar Bj?rgum Larsen wrote:
> see
> http://xforce.iss.net/xforce/alerts/id/163
> http://xforce.iss.net/xforce/alerts/id/162
>
Regarding the BUG 163:
"Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow"
There is a sentence:
"There is no effective workaround for this vulnerability. Upgrading to the
NG versions of VPN-1 Server and SecureRemote/Client will remove this
vulnerability"
In fact it's not true. Under certain circumstances there are workarounds!
1. If you don't use VPN at all you may disable the checkbox "Accept VPN-1
& Firewall-1 Control Connections" under the Policy->Properties menu.
You must however remember to re-enable all other protocols explicite, ie.
FW1_mgmt from your management workstations, Radius, Tacacs, Ldap and so
on if you use them.
To see the full list of implied rules go to View->Implied Rules (while the
"Accept VPN-1 & Firewall-1 Control Connection" is _CHECKED_!!!).
All implied rules are displayed yellow at the top.
You have to re-enable only the protocols you really use. The one we don't
like is IKE (formerly ISAKMP), UDP port 500.
2. If you use FWZ VPN you may follow the above instructions. However you
must remember to allow connecting to FW1_topo and FW1_key and the RDP
protocol. However enabling RDP is very tricky!
Simply adding the rule 'any any RDP allow' doesnt work!
You have to create your own service. Go to Services, New and Other...
Let the name be FW1_RDP, Match 0 and Prologue 'accept_fw1_rdp;' (without
the quotes of course).
Then you may re-enable the RDP traffic using th FW1_RDP service rather than
RDP. (vide implied rules)
3. If you use IKE VPN you may filter the IKE port and allow connecting to
it only from certain addresses. However you must remember that ISAKMP uses
UDP for transfer and spoofing UDP is rather easy.
Workaround for an IKE VPDN, ie SecureRemote is not possible at all.
All above applies to VPN-1 v 4.1.
Rgrds,
--
Mariusz Wołoszyn
Internet Security Specialist, GTS - Internet Partners