Title: Check Point Firewall-1 RDP Header Firewall Bypassing Vulnerability
Severity: HIGH
Description:
Check Point Firewall-1 is an enterprise level, full feature firewall package distributed by Check Point. It is designed to work on various operating systems, both as a single firewall or as a firewall cluster system.
A problem with the filtering of certain packet types makes it possible for remote users to pass traffic across the firewall unchecked. This vulnerability, when exploited, could lead to remote users gaining access to sensitive information systems, and potentially a compromise of protected systems.
The problem is in the default acceptance of packets with an RDP header and matching a certain criteria. When using the default configuration, the firewall permits UDP packets with a false RDP header to pass the firewall on port 259. This can allow a remote user to craft custom built packets using a false RDP header, and send them to port 259 of the firewall via udp. Upon reaching the firewall, these packets traverse the firewall without restriction, reaching potentially sensitive information systems on the other side.
Because of the configuration of Firewall-1, the firewall can't be easily modified to block this type of traffic via the policy editor, and requires manually removing the rules to secure the system.
The files $FIREWALL_DIRECTORY/lib/base.def and $FIREWALL_DIRECTORY/lib/crypt.def make up the implied rules files. Line 62 of base.def contains the entry rendering all firewalls vulnerable. The macro "accept_fw1_rdp" is defined as the following:
- Protocol UDP
- Destination port 259 (RDP)
- RDP Command RDPCRYPTCMD (100), RDPCRYPT_RESTARTCMD (101), RDPUSERCMD (150) or RDPSTATUSCMD (128).
The RDP command types RDPCRYPT = {RDPCRYPTCMD,RDPUSERCMD,RDPSTATUSCMD} and RDPCRYPT_RESTART = {RDPCRYPT_RESTARTCMD} will permit traversal of
faked RDP packets (regardless of the value of NO_ENCRYPTION_FEATURES, undefined by default).
Affected Products:
- Check Point Software Firewall-1 [ VPN + DES + STRONG ] 4.1.0 Build 41439
- Check Point Software Firewall-1 [ VPN + DES + STRONG ] 4.1.0 SP2 Build 41716
- Check Point Software Firewall-1 [ VPN + DES ] 4.1.0
References:
- Check Point Software: Alerts - RDP
- Check Point Software: Check Point Alerts
- Check Point Software: Software Subscription Download Site
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
