Initial vulnerability advice

FSC Internet Corp. / SecureXpert Labs

SecureXpert Labs Advisory [SX-20000620-3] - Partial Denial of Service in Check Point Firewall-1 on Windows NT

Summary

The SMTP Security Server component of Check Point Firewall-1 4.0 and 4.1 is vulnerable to a simple network-based attack which raises the firewall load to 100%.

Details

Check Point Firewall-1 includes a component called the SMTP Security Server. This is an SMTP proxy, the use of which is required by several of Firewall-1's advanced SMTP email processing capabilities, including CVP-based virus scanning and URI filtering.

The Check Point Firewall-1 SMTP Security Server in Firewall-1 4.0 and 4.1 on Windows NT is vulnerable to a simple network-based attack which can increase the firewall's CPU utilization to 100%.

Sending a stream of binary zeros over the network to the SMTP port on the firewall
raises the target system's load to 100% while the load on the attacker's
system machine remains relatively low.  This can easily be reproduced from
a Linux system using netcat with an input of /dev/zero, with a command such as
"nc firewall 25 < /dev/zero".

This vulnerability could allow a very quick and easy distributed attack
on Check Point Firewall-1.

Status

Check Point Software Technologies has been informed of this vulnerability, and
has assigned it incident ID# TT44913.  As of June 20, 2000 Check Point
has stated that a fix for this vulnerability will NOT be included in Service
Pack 2 (SP-2) for Check Point firewall-1 4.1, but it will "probably be included
in SP-3".

Credits

Mike Murray, SecureXpert Labs
Max Degtyar, SecureXpert Labs
Richard Reiner, SecureXpert Labs

About SecureXpert DIRECT

SecureXpert DIRECT is an advance security advisory service provided by
SecureXpert Labs.  Subscriptions are free of charge and may be obtained
online at http://www.securexpert.com/services.html.

Update details for Solaris 2.6

1) Avec fw1 4.0 SP5, sur Solaris 2.6, cela donne aussi un ecroulement du
CPU. Cependant, la machine accepte malgre tout de la charge, surement
parce que la run-queue n'est pas saturee.

sar -u 5 100:
09:58:41     %usr    %sys    %wio   %idle
09:58:46      58      42       0       0
09:58:51      61      39       0       0
09:58:56      57      40       1       2
09:59:01      60      40       0       0
09:59:06      63      37       0       0
09:59:11      62      38       0       0
09:59:16      58      41       0       0
09:59:21      58      42       0       0
09:59:26      54      46       0       0
09:59:31      54      43       1       2
09:59:36      59      41       0       0
09:59:41      58      41       1       0
09:59:46      54      46       0       0
09:59:51      60      40       0       0
09:59:56      49      39       1      11
10:00:01      54      37       4       5
10:00:06      58      38       1       4
10:00:11      58      37       0       5
10:00:16      57      43       0       0
.......
10:01:36      61      39       0       0
10:01:41      61      39       0       0
10:01:46      63      37       0       0
10:01:51      58      41       0       1
10:01:56      56      44       0       0
10:02:01      60      40       0       0
10:02:06      47      35       0      18
10:02:11       0       2       0      98
10:02:16       2       3       0      95
10:02:21       1       4       0      95
10:02:26       0       3       0      96

 

Author information. Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved. Revised: July 06, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.