Firewall1 smtpd open access vulnerability
|Description:||By default, Firewall-1 allows anyone to obtain confidential operation and statistical info from its SNMP daemon.|
|Author:||"Secure Networks Inc." <sni@SECURENETWORKS.COM>|
|Compromise:||The information could help an attacker bypass the firewall as well as giving private network statistical information.|
|Vulnerable Systems:||Those running a Vulnerable version of Checkpoitn Firewall-1 |
|Date:||9 December 1997 |
Date: Tue, 9 Dec 1997 16:57:38 -0700
From: "Secure Networks Inc." <sni@SECURENETWORKS.COM>
Subject: SNI-21: Firewall-1 Security Advisory
-----BEGIN PGP SIGNED MESSAGE-----
###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.
Secure Networks Inc.
December 9, 1997
Checkpoint Firewall-1 Security Advisory
This advisory addresses a security problem present in Checkpoint
Firewall-1 which allows unauthorized users to access the SNMP daemon
running on the firewall. This allows outsiders to obtain internal and
confidential information about the installation and operation of the
firewall and the network which it protects, without being traced.
The default recommended configuration of Firewall-1 allows outside
users to obtain confidential operation and statistical information from
the Simple Network Management Protocol (SNMP) daemon.
Once obtained, this information can be used by potential intruders
to find vulnerabilities in the firewall or connected systems. In
addition, potential intruders can obtain statistics on the firewall's
operation. Finding software on the firewall with known vulnerabilities
can, in some cases, be exploited immediately to cause a Denial Of
Service (DOS) attack.
It is possible for people wishing to see the volume of traffic going
in and out of a target firewall's network to obtain this information
in a form that can be directly imported into any number of network
monitoring tools that can graph it by time of day.
Firewall-1 makes use of the SNMP service on all platforms to obtain
information about the machine on which the firewall is running, and
to show the user real-time statistics about the firewall.
For those unfamiliar with the Firewall-1 user interface, the first
option available in the global properties dialog box is:
"Enable Firewall-1 Control Connections [Essential]" .
The word 'Essential' is contained in the user interface window itself,
causing unfamiliar users to be very reluctant to remove it since
they feel the vendor should know best about this.
The default configuration is to have this selected and marked "First" so
that it is evaluated BEFORE the rule-set defined by the firewall
administrator. Since Firewall-1 operations on a first-match rather
than a best-match principle, nothing in the rule-set overrides this.
The documentation makes it very clear that while this box is selected,
control connections required for use of the remote GUI are only allowed
if the IP address is listed in a specific text file. All other connection
attempts will be rejected. No mention is made of the fact that access is
allowed to the SNMP ports from any address. If access were restricted
to addresses that appear in the text file, this problem would be present
to a lesser degree, allowing an attacker to spoof UDP packets to set
variables, without needing to receive a reply.
The SNMP daemon reveals the version of the operating system and Firewall,
as well as the configuration of the security perimeter such as the presence
or absence of a service network (DMZ). The OS vendor's SNMP daemon will
generally make available information such as a list of all active
connections, a list of all running services and the entire routing table
(which if the firewall runs RIP contains a sizable amount of information).
Information such as the amount of traffic traveling on any given interface
can be useful for competitors gaining information on network traffic.
In addition to the standard MIB, various vendors make their own
information available via enterprise MIBs. As the referance section
to this advisory notes, this may be important for NT users of the
Checkpoint firewall .
Checkpoint has their own enterprise mib (enterprises.1919). This
provides other information useful to the potential intruder such as the
number of denied, dropped, allowed and logged packets as well as the
current state of the firewall. Provided as well, is the text of the last
SNMP trap generated.
To an intruder, the information obtained can in many cases point
them directly to a way in which they can gain remote access to the
Access to the SNMP daemon is allowed in Rule-set 0 (properties)
no logging of these accesses is made.
Vulnerable Operating Systems and Software
All platforms running versions of Firewall-1 from Checkpoint where
the administrator has not disabled the "Enable Remote Connections"
option from the Properties, or has in some other way enabled access
to the SNMP server on the firewall.
According to Checkpoint Software a patch for this problem is available via:
It should be noted that this URL is password protected and is only accessable
via Checkpoint authorized resellers.
Immediately unselect the "Enable Remote Connections" option.
Also, block all SNMP traffic at your border router (udp port 161).
If you absolutely require remote access, a qualified security
administrator can assist you in designing a policy that grants this
access in the regular rule-base. Please note that this suggestion is
not supported by Checkpoint and is provided within this advisory on an
'AS IS' basis. SNI (Secure Networks Inc.) accepts no liabilty for this
suggested fix, and end users should apply it only after consulting their
in-house security administrator.
The information provided in this advisory was provided to SNI
by Steve Birnbaum <email@example.com>.
 Managing Firewall-1 Using the Windows GUI, figure 1-11.
 Bugtraq mailing list post concerning MIB enterprises.77
A recent post to a security mailing list by Christopher Rouland
(CRouland@EXAMNYC.lehman.com) pointed out that the Microsoft lan-manager
enterprise MIB (enterprises.77) listed vast amounts of information that
should be heavily guarded.
This includes a list of running services and their state, a list of all
users that exist on the machine, any connected shares and the number of
failed password attempts among other things. Further, he found a certain
variable that could be set to 0 in Microsoft's enterprise mib which
resulted in a clearing of the WINS database. Giving such information
as the presence of any shares and the user list on a firewall is a
possibly disastrous breach of security.
Contacting Secure Networks Inc.
You can subscribe to our security advisory mailing list by sending
mail to firstname.lastname@example.org, containing the single line:
You can browse our web site at http://www.secnet.com
You can contact Secure Networks Inc. at <email@example.com> using
the following PGP key:
Type Bits/KeyID Date User ID
pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <firstname.lastname@example.org>
Secure Networks <email@example.com>
- - -----BEGIN PGP PUBLIC KEY BLOCK-----
- - -----END PGP PUBLIC KEY BLOCK-----
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: