Check Point Firewall-1Internal Interface Enumeration
The IP addresses of Check Point Firewall-1 internal interfaces may be
enumerated using SecuRemote
Vulnerability Type / Importance: Information Leak / High
Problem discovered: July 25th 2003
Vendor contacted: July 25th 2003
Advisory published: August 22nd 2003
Abstract :
Check Point FireWall-1 versions 4.0 and 4.1 (prior to SP5) were shipped with a
product called SecuRemote which allows mobile users to connect to an internal
network using an encrypted and authenticated session. During the initial
unencrypted phase of communication between SecuRemote and Firewall-1 a packet is
sent containing the all the IP addresses of the firewall, including those
associated with the internal interfaces.
Description :
During various recent penetration tests IRM has established that internal IP
addresses configured on Check Point Firewall-1 devices appear to leak from TCP
ports 256 and 264.
N.B. This is a completely separate issue from the "unauthenticated topology
download" problem that has been previously discussed.
If a telnet connection is established with TCP port 256 on Firewall-1 Version
4.0 and 4.1 and the following sequence of characters is typed:
aa <CR>
aa <CR>
(where <CR> is a carriage return),the firewall IP addresses are returned (in
binary form)
In addition, when using SecuRemote to connect to a firewall on TCP port 264, if
a packet sniffer is used to capture the data transferred, the IP addresses can
also be viewed as shown below:
15:45:44.029883 192.168.1.1.264 > 10.0.0.1.1038: P 5:21 (16) ack 17 win
8744 (DF)
0x0000 4500 0038 a250 4000 6e06 5b5a ca4d b102 E..8.P@.n .[Z.M..
0x0010 5102 42c3 0108 040e 1769 fb25 cdc0 8a36 Q.B...... i .%...6
0x0020 5018 2228 fa32 0000 0000 000c c0a8 0101 P."(.2.......M ..
0x0030 c0a8 0a01 c0a8 0e01 ........
c0a8 0101 = 192.168.1.1
c0a8 0a01 = 192.168.10.1
c0a8 0e01 = 192.168.14.1
Check Point was contacted and confirmed that it was a known issue that was fixed
in version 4.1 service pack 5, however the details about this information
leakage are not present in the service pack documentation. As IRM identified
this issue during a live penetration test, it was decided that the information
should be publicised so that firewall administrators could be made aware of it,
and the resolution to the problem. A tool (fwenum) was then produced to
demonstrate the technique.
Tested Versions:
Firewall-1/VPN-1 4.0 - vulnerable
Firewall-1/VPN-1 4.1 - vulnerable pre sp5
Firewall-1/VPN-1 NG - not vulnerable
Tested Operating Systems:
Microsoft Windows NT4
Microsoft Windows 2000
Vendor & Patch Information:
Check Point was contacted on July 25th and promptly responded explaining that
the issue had been resolved in version 4.1 service pack 5, which was released on
September 13th 2001. Check Point recommends customers to stay current with the
latest service packs and versions, as they contain security enhancements to both
publicised and to other issues.
Workarounds :
TCP Ports 256 and 264 can be filtered if the SecuRemote service is not required.
Credits :
Research & Advisory: A Davis
Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope
that it will be useful. Information Risk Management Plc is not responsible for
any risks or occurrences caused by the application of this information.