Check Point VPN-1 IP address denial of service

vpn1-ipaddress-dos (41260)

Low Risk

Description:

Check Point VPN-1 is vulnerable to a denial of service, caused by the improper handling of IP address collisions. If the SecuRemote back-connections are enabled, a remote access client and the encryption domain of a gateway for a site-to-site VPN tunnel connection share the same IP address. A remote attacker could exploit this vulnerability to cause an interruption of connectivity and re-route sensitive information to the client.

Platforms Affected:

• CheckPoint, VPN-1 Power NG with Application Intelligence R55
• CheckPoint, VPN-1 Power NGX R60
• CheckPoint, VPN-1 Power NGX R61
• CheckPoint, VPN-1 Power NGX R62
• CheckPoint, VPN-1 Power NGX R65
• CheckPoint, VPN-1 UTM NG with Application Intelligence R55
• CheckPoint, VPN-1 UTM NGX R60
• CheckPoint, VPN-1 UTM NGX R61
• CheckPoint, VPN-1 UTM NGX R62
• CheckPoint, VPN-1 UTM NGX R65

Remedy:

Refer to Check Point Downloads Web site for patch, upgrade or suggested workaround information. See References.

Consequences:

Denial of Service

References:

• Check Point Downloads Web site, Products & Technologies at https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk34579.
• PureSecurity Security Advisory, 17 March, 2008, Check Point VPN-1 SecuRemote DoS/Spoofing Attack for Site-Site at http://www.puresecurity.com.au/files/PureSecurity%20VPN-1%20DoS_Spoofing%20Attack%20against%20VPN%20tunnels.pdf.
• BID-28299: Check Point VPN-1 IP Address Collision Denial of Service Vulnerability
• CVE-2008-1397: Check Point VPN-1 Power/UTM, with NGX R60 through R65 and NG AI R55 software, allows remote authenticated users to cause a denial of service (site-to-site VPN tunnel outage), and possibly intercept network traffic, by configuring the local RFC1918 IP address to be the same as one of this tunnel's endpoint RFC1918 IP addresses, and then using SecuRemote to connect to a network interface at the other endpoint.
• FrSIRT/ADV-2008-0953: CheckPoint VPN-1 IP Address Collision Security Weakness
• SA29394: CheckPoint VPN-1 IP Address Collision Security Issue
• SECTRACK ID: 1019666: Check Point VPN-1 SecuRemote Lets Remote Users Deny Service
• US-CERT VU#992585: Check Point VPN-1 information disclosure vulnerability

Reported:

Mar 17, 2008

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page