Check Point VPN-1 IP address denial of service
| vpn1-ipaddress-dos (41260) |  Medium Risk |
Description:
Check Point VPN-1 is vulnerable to a denial of service, caused by the improper handling of IP address collisions. If the SecuRemote back-connections are enabled, a remote access client and the encryption domain of a gateway for a site-to-site VPN tunnel connection share the same IP address. A remote attacker could exploit this vulnerability to cause an interruption of connectivity and re-route sensitive information to the client.
*CVSS:
| Base Score: | 5.8 |
| Access Vector: | Network |
| Access Complexity: | Medium |
| Authentication: | None |
| Confidentiality Impact: | Partial |
| Integrity Impact: | None |
| Availability Impact: | Partial |
| Temporal Score: | 4.3 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Denial of Service
Remedy:
Refer to Check Point Downloads Web site for patch, upgrade or suggested workaround information. See References.
References:
- Check Point Downloads Web site: Products & Technologies.
- PureSecurity Security Advisory, 17 March, 2008: Check Point VPN-1 SecuRemote DoS/Spoofing Attack for Site-Site.
- BID-28299: Check Point VPN-1 IP Address Collision Denial of Service Vulnerability
- CVE-2008-1397: Check Point VPN-1 Power/UTM, with NGX R60 through R65 and NG AI R55 software, allows remote authenticated users to cause a denial of service (site-to-site VPN tunnel outage), and possibly intercept network traffic, by configuring the local RFC1918 IP address to be the same as one of this tunnel's endpoint RFC1918 IP addresses, and then using SecuRemote to connect to a network interface at the other endpoint.
- SA29394: CheckPoint VPN-1 IP Address Collision Security Issue
- SECTRACK ID: 1019666: Check Point VPN-1 SecuRemote Lets Remote Users Deny Service
- US-CERT VU#992585: Check Point VPN-1 information disclosure vulnerability
- VUPEN/ADV-2008-0953: CheckPoint VPN-1 IP Address Collision Security Weakness
Platforms Affected:
- CheckPoint VPN-1 Power NG with Application Intelligence R55
- CheckPoint VPN-1 Power NGX R60
- CheckPoint VPN-1 Power NGX R61
- CheckPoint VPN-1 Power NGX R62
- CheckPoint VPN-1 Power NGX R65
- CheckPoint VPN-1 UTM NG with Application Intelligence R55
- CheckPoint VPN-1 UTM NGX R60
- CheckPoint VPN-1 UTM NGX R61
- CheckPoint VPN-1 UTM NGX R62
- CheckPoint VPN-1 UTM NGX R65
Reported:
Mar 17, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.