|
|
|
|
| |
| With FireWall-1 Version 4.0 Checkpoint introduced support for the Lightweight Directory Access Protocol (LDAP) for user authentication. It looks like there's a bug in Checkpoint's LDAP code, which under certain circumstances can lead to unauthorized access to protected systems behind the firewall. |
| |
Credit:
This vulnerability has been discovered by: Olaf Selke.
|
| |
A user can authenticate at the firewall by providing a valid username and password. The firewall acts as an LDAP client, validating the credentials by a directory server using the LDAP protocol. After successful authentication, access will be granted to systems protected by the firewall.
In contrast to authentication using the Radius or SecurID protocol, after successful authentication the directory server can supply the firewall with additional LDAP attributes for the user, such as the time and the day of week the user is allowed to log-in, the source addresses the user can run a client from, or the system behind the firewall the user is allowed to access. This can be done individually for each user.
Apparently, Checkpoint made a mistake interpreting the LDAP attribute 'fw1allowed-dst' which is supposed to control in detail what protected network object a user can access.
It seems that the firewall software, granting access to all protected network objects, ignores this attribute.
Example:
------ Server 'Foo'
|
Internet --- FW-1 ---|
|
------ Server 'Bar'
Suppose there's a user 'Sid' with access only to Server 'Foo', and a second user 'Nancy' with access restricted to Server 'Bar', both controlled by the LDAP protocol, using the LDAP attribute 'fw1allowed-dst'. The bug will cause that both, Sid and Nancy, will have access to Foo and to Bar.
|
|
|
|
|
|
|
|
|
|
