• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Check Point Firewall-1/VPN-1 Management Station Format String Vulnerability

Severity: HIGH

Description:

The Firewall-1/VPN-1 management station softare contains a format string vulnerability. The condition is present only after a client connected from an authorized IP address is authenticated as a valid administrator.

The vulnerability is the result of passing client-supplied data to a printf* function as the format string argument.
Most "printf" implementations support a format specifier that writes the number of characters to be output to a supplied location in memory.

If user data is included in the format string, malicious users can use these format specifiers to write almost arbitrary values to memory locations that they may be able to supply. It may be possible, for example, for attrackers to have a printf function replace function return addresses or function pointers with pointers to supplied shellcode.

Administrators with limited privileges (such as read-only) may be able to exploit this vulnerability to gain control over the target management station.

Affected Products:

• Check Point Software Firewall-1 4.1.0
• Check Point Software Firewall-1 4.1.0 SP1
• Check Point Software Firewall-1 4.1.0 SP2
• Check Point Software Firewall-1 4.1.0 SP3
• Check Point Software Providor-1 4.1.0
• Check Point Software Providor-1 4.1.0 SP1
• Check Point Software Providor-1 4.1.0 SP2
• Check Point Software Providor-1 4.1.0 SP3
• Check Point Software VPN-1 4.1.0
• Check Point Software VPN-1 4.1.0 SP1
• Check Point Software VPN-1 4.1.0 SP3
• Nokia IPSO 3.3.0
• Nokia IPSO 3.3.0SP1
• Nokia IPSO 3.3.0SP2
• Nokia IPSO 3.3.0SP3

References:

• Check Point Software: Check Point Alerts
• Check Point Software: FireWall-1 Product Homepage
• Check Point Software: Format Strings Vulnerability
• Check Point Software: Software Subscription Download Site

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.