• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Check Point VPN-1 IP Address Collision Denial of Service Vulnerability

Severity: MODERATE

Description:

Check Point VPN-1 SecureClient/SecuRemote client for Microsoft Windows is a VPN (Virtual Private Network) application used to securely connect remote computers to enterprise networks. When site-to-site tunnels are established, the VPN-1 gateway stores the endpoint IP address of the connecting party in the remote encryption domain.

Check Point VPN-1 is prone to a denial-of-service vulnerability that can allow attackers to obtain sensitive information. The issue occurs because the application fails to adequately handle IP address collisions.

This issue occurs when a user connects to a VPN-1 gateway via a SecuRemote client. If the local IP address of the user matches the IP address of a third party that has an established site-to-site tunnel with the gateway, the third party connection will be lost.

NOTE: Reports indicate that this issue likely occurs because phase 2 IPSec negotiations between the gateway and the attacker supersede the previously established site-to-site phase 2 negotiation data.

Attackers can exploit this issue to break site-to-site VPN connectivity between a VPN-1 gateway and a third party, denying access to legitimate users. If SecuRemote back-connections are enabled, the attacker can leverage this issue to re-route site-to-site traffic from the VPN-1 gateway to their SecuRemote client. Under certain conditions, this will cause data that was destined for the third party to be sent to the attacker's client instead. This could contain sensitive information that would aid in further attacks.

Affected Products:

• Check Point VPN-1 Power/UTM NGX R60
• Check Point VPN-1 Power/UTM NGX R61
• Check Point VPN-1 Power/UTM NGX R62
• Check Point VPN-1 Power/UTM NGX R65

References:

• Check Point Software: VPN-1 NGX R65 HFA_02 Supplement 3
• Check Point Software: Vendor Homepage
• PureSecurity: Check Point VPN-1 SecuRemote DoS/Spoofing Attack for Site-Site VPN
• US-CERT: Vulnerability Note VU#992585 Check Point VPN-1 information disclosure vulnerabil

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.