ISS X-Force Database: fw1-unauth-rsh-connection(5028): Check Point FireWall-1 unauthorized rsh/rexec connection

Check Point FireWall-1 unauthorized rsh/rexec connection

fw1-unauth-rsh-connection (5028)

High Risk

Description:

Check Point FireWall-1 could allow an attacker to bypass security restrictions and establish connections though the firewall. By sending a specially-crafted RSH/REXEC request from an external RSH/EXEC server to an internal client, an attacker can create an unauthorized opening through the stateful inspection engine.

Platforms Affected:

CheckPoint, FireWall-1 3.0
CheckPoint, FireWall-1 4.0
CheckPoint, FireWall-1 4.1

Remedy:

For VPN-1/FireWall-1 4.0:
Apply the latest Service Pack for your system (SP7 or later), as listed in the Check Point Technical Support Alert. See References.

For VPN-1\FireWall-1 4.1:
Apply the latest Service Pack for your system (SP2 or later), as listed in the Check Point Technical Support Alert. See References.

For VPN-1 Appliances (IPSO) 4.0:
Apply the SP5 Hotfix, as listed in the Check Point Technical Support Alert. See References.

Consequences:

Gain Access

References:

BugTraq Mailing List, Wed Aug 16 2000 - 09:09:55 CDT, A Stateful Inspection of FireWall-1 at http://archives.neohapsis.com/archives/bugtraq/2000-08/0184.html.
Check Point Technical Support Alert, Potential Security Issues Recently Identified in VPN-1/FireWall-1 at http://www.checkpoint.com/techsupport/alerts/list_vun.html#Improper_stderr.
CIAC Information Bulletin K-073, Multiple Vulnerabilities in Check Point Firewall-1 at http://www.ciac.org/ciac/bulletins/k-073.shtml.
Dug Song's Web site, A Stateful Inspection of Firewall 1 - Slides at http://www.monkey.org/~dugsong/talks/blackhat.pdf.
Internet Security Systems Security Alert #62, Multiple vulnerabilities on all platforms and versions of Check Point FireWall-1 at http://www.iss.net/xforce/alerts/id/advise62.
BID-1534: Check Point Firewall-1 Unauthorized RSH/REXEC Connection Vulnerability
CVE-2000-0779: Checkpoint Firewall-1 with the RSH/REXEC setting enabled allows remote attackers to bypass access restrictions and connect to a RSH/REXEC client via malformed connection requests.
OSVDB ID: 1487: Check Point FireWall-1 Unauthorized RSH/REXEC Connection

Reported:

Aug 02, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page