Liquidmatrix Security Digest » Checkpoint Firewall 1 Exploits Discovered

Checkpoint Firewall 1 Exploits Discovered

Author: Dave Lewis
October 3, 2007 at 1:05 pm · Filed under Exploit, Firewalls

Whoa, I’m finding this an interesting read from Heise. Apparently there are some buffer overflows in Checkpoint Firewall 1. The testers in question didn’t even have to resort to the use of fuzzers. The version as tested was R60.

From Heise:

Spanish security specialists Pentest have published a vulnerability analysis of Checkpoint’s Firewall-1 flagship product, in which they express doubts about the certification of the vendor’s Secure Platform R60 according to Common Criteria EAL4+. Their analysis has revealed several buffer overflows in command line utilities, which, in their opinion, should not have passed a reliable development cycle. While the experts were only able to exploit the vulnerabilities locally, they do not exclude the possibility of remote exploitation for the purpose of compromising systems.

According to Pentest, they have not even used fuzzing tools for their tests, but have simply used manipulated arguments to cause a buffer overflow in the programs; this does not comply with the vendor’s description of the relevant target of evaluation (TOE), i.e. the platform to be evaluated.

So my question is a simple one. How did this go undiscovered until now?

Article Link
The hack

Tags: Checkpoint Firewall 1, Buffer Overflow, Checkpoint Exploits

Tag It:

Related Articles:

Checkpoint User Conference

Protection Against Oracle Reports Arbitrary File Writing

Ignoring the “Great Firewall of China”

Mac OS X Application Firewall Weaknesses

How-To: Build Your Own Network Firewall

Permalink

Alex said,

October 3, 2007 @ 2:09 pm

“How did this go undiscovered until now?”

Great question!

Gilbert Verdian said,

October 3, 2007 @ 7:43 pm

Dave,
Here is the paper which explains all
http://packetstormsecurity.org/papers/attack/checkpoint_hack.pdf

Found it very thorough, detailed and a great read.

Christofer Hoff said,

October 3, 2007 @ 8:15 pm

I’m going to assume that your question was really rhetorical. However, in the spirit of
stating the obvious, I will ask you a question.

Have you ever submitted a product for CC/EAL “certification?” You know you pay third
party contractors to provide this service, right?

The testing performed by these vendors gets rid of the low hanging fruit; they exercise
their judgment on how they evaluate the statements of fact made regarding how and
what the vendor does to prove the system is “secure.” They don’t (and can’t) test all of
it.

Think of it as an audit checklist.

Those couple of statements ought to have answered your questions….

While I’m not defending Check Point or their apparent handling of the situation (which
is only one man’s opinion, mind you) these locally-exploitable vulnerabilities reach back
to R60. They are shipping R65.

It will be interesting to know whether the same sorts of attacks are relevant in R65 since R60 is about 2 years old. LOTS of changes since 2005…

Ah well. Another vendor, another vuln. Not really surprising, is it?

Happens to Cisco all the time, CHKP’s no different.

/Hoff

Dave Lewis said,

October 3, 2007 @ 8:50 pm

@ Chris

Yes, that was a rhetorical question. The certification aspect of the story is not the part I have an issue with (for the most part). Where I get confused is how did this exploit not come to light previously? Checkpoint has the largest install base in the market today. R60 has been out for sometime now (as you rightly point out) and I would hazard that at least one pen tester has taken a run at it during that time. This isn’t me beating on Checkpoint. I actually like their firewalls as well as several other vendors. If this exploit was a generic as I am to understand then it begs the question why we’re only hearing about this now.

And yes, no vendor is immune. If they were, wait 5 minutes.