|
Brought to you by:
Suppliers of:
|
|
|
| |
| A dangerous security vulnerability has been discovered in CheckPoint's Firewall-1 Firewall, the vulnerability allows a remote attacker to launch a Denial of Service attack against Firewall-1 based firewalls. The attack causes the CPU to mysteriously hit 100% utilization, causing a system lock up (some systems may also crash). |
| |
Credit:
The information has been provided by: Lance Spitzner.
|
| |
Vulnerable systems:
All CheckPoint Firewall-1 firewalls
All CheckPoint Firewall-1 based firewalls (outsourced code)
Notes:
1. It is believed that every installation of FW-1 is vulnerable, regardless of Operating System type or version/patch level of the FW-1 installation. However, this has only been tested and confirmed with version 4.1 SP1 on the Nokia, and version 4.1 on NT and Solaris x86 platform.
2. There is NO way to protect against it. Your rulebase cannot stop this attack. If your rulebase is denying everything, you are still vulnerable.
3. FW-1 does NOT log these attacks in the firewall logs. Not only will the firewall will be taken out, but also it is difficult to determine why. Illegally fragmented packets (such as those generated by jolt2) may be logged by Unix systems to /var/adm/messages.
Exploit:
Any fragmented packet attack can be used, see our article about Jolt2 for more information regarding such sort of attack.
Temporary Solution:
1. CheckPoint has developed a workaround to the problem. A percentage of CPU utilization is due to console error messages on some Unix systems. By disabling FW-1 kernel logging, some CPU utilization will be saved. However, all FW-1 kernel logging is disabled, you will have no capability for logging any firewall kernel events. At the command line on the Firewall, type as root:
$ fw ctl debug -buf
2. Ensure the operating system has the latest patches. There are recent patches for most operating systems that help protect against fragment attacks.
3. Run an IDS module (such as snort). When you detect fragmentation attacks block the source at the router (remember, the firewall cannot stop the attack, its rulebase is powerless). Naturally, this method may not work with spoofed source packets.
4. CheckPoint is developing a long-term solution, which will be distributed as part of a later Service Pack. However, this fix was not available for testing at the time of this post.
|
|
|
|
|
