Title: Check Point Firewall-1 Policyname Temporary File Creation Vulnerability
Severity: MODERATE
Description:
Check Point Firewall-1 is a commercial firewall implementation designed for small to enterprise sized networks.
A problem with Firewall-1 makes it possible for a local user to change permissions of critical system files. This could lead to a denial of service, or potentially elevated privileges. The problem is in the creation of predictable temporary files by the Check Point Firewall-1 package.
When a user accesses the GUI administration interface of Firewall-1 and makes alterations to rulesets, a file is created in the /tmp directory using the name of the firewall policy as a file name, and an extension of .cpp. This file is created when firewall ruleset compilation occurs, after the ruleset has been edited and committed.
The file is created with world-writable permissions, and is owned by root. By creating a symbolic link in the /tmp directory using the name of a firewall policy, and pointing the symbolic link to a file owned by root, the file at the end of the symbolic link will inherit world-writable permissions.
This problem makes it possible for a local user to alter system configuration, and potentially gain local root access.
Affected Products:
- Check Point Software Firewall-1 3.0.0
- Check Point Software Firewall-1 4.0.0
- Check Point Software Firewall-1 4.1.0
- Check Point Software Firewall-1 4.1.0 SP1
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
