A recently discovered flaw in the popular Check Point Firewall-1 poses a significant danger to systems relying on this software for protection. The problem is with a proprietary management packet format called RDP, which is automatically passed by the firewall. Let’s take a look at the danger this poses and how to fix it.
Since the flaw is located in a feature that is enabled by default, this applies to any installation of Check Point FireWall-1 and VPN-1, versions 4.0 or 4.1, on AIX, HPUX, Linux, Solaris, Windows NT, or Windows 2000.
A basic hack would allow attackers to view files throughout a network protected by Check Point software or even to launch some denial of service attacks. Inadequate security applied to RDP allows faked headers to be used to pass any content to UDP port 259. This is a proprietary protocol used by Check Point (not IP protocol 27) and is enabled by default so that packets can traverse firewall gateways to speed encryption handshaking. CERT Advisory CA-2001-17 covers this vulnerability but offers little or no details other than describing this as a potentially serious flaw.
There are three main options for fixing this problem:
- The long-term fix is to download and install the patch from Check Point. In Service Pack 4 to version 4.1, RDP is blocked by default. This hotfix can be applied to management stations but not to firewall modules.
- Another option is to immediately block access to UDP port 259 UDP through your Internet router.
- Check Point posted a workaround, RDP Bypass workaround for VPN-1/ FireWall 4.1 SPx, on July 12, 2001:
"It is possible to provide protection from the RDP Bypass issue on FireWall-1 v4.1 without applying the SP4 hotfix via the following temporary workaround. There are restrictions to the use of this workaround, and application of the hotfix is strongly recommended.
To apply the workaround, modify the rule base in the following manner:
1. Disable FireWall-1 control connections in the Policy Properties settings.
2. Define a group containing your management station and all firewall modules (in this example, FW_Group).
3. In the rule base, write explicit rules allowing FireWall-1 communication between your management station and modules:
SRC: FW_Group DST: FW_Group SVC: FireWall1 Action: Accept
4. If you are using IKE with MEP, define an additional group containing only your firewall modules (in this example, FW_mod_group). Add an additional rule:
SRC: Any DST: FW_mod_group SVC: RDP, ISAKMP, VPN1_IPSEC_encapsulation Action: Accept
If you are not encapsulating IPSec in UDP, VPN1_IPSEC_encapsulation is not needed. If you are not using MEP with IKE, RDP is not needed.
5. Install the modified policy.
This will block all RDP traffic except for that which is specifically destined for your firewall modules and can securely process the traffic. It will completely disable the use of FWZ encryption. In addition, certain other communications, such as RADIUS and LDAP authentication and OPSEC communications, are disabled by this workaround. It is therefore strongly recommended that this workaround be used only as a temporary measure, and that the correct hotfix be applied to the management station.”
Check Point, an Israeli-based company with offices in Redwood City, CA, produces a wide range of enterprise-level security products, including a popular firewall that pioneered the use of a hybrid packet filter and application-level gateway. The software was also one of the first to make use of icons to help display and manage configuration rules, making it one of the easiest firewalls to maintain.
Did you know your Check Point firewall was in danger?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.