|
|
|
|
| |
| A security issue exists in VPN-1/FireWall-1 version 4.1 whereby a valid firewall administrator connecting from an authorized management client may send malicious data to a management station inside a control connection, possibly preventing proper operation of the management station. This issue exists because some instances of improper string formatting occur in VPN-1/FireWall-1 version 4.1. By sending specially constructed commands through authorized communication channels, arbitrary code may be inserted onto the operating system stack of a VPN-1/FireWall-1 management station. This vulnerability may only be exploited by an authorized and authenticated VPN-1/FireWall-1 administrator connecting from a workstation explicitly trusted by the management station, although read/write permission is not required in order to perform this attack. Since full access (read/write) administrators and those at the local system console already have direct access to the firewall system, this is an escalation of privilege only for read-only administrators. |
| |
Credit:
The information has been provided by K. van der Raad.
|
| |
Solution:
For all users, upgrade to VPN-1/FireWall-1 4.1 Service Pack 4 and install the SP4 hotfix. This hotfix only needs to be applied to management stations, not firewall modules.
Check Point/Nokia Appliances (IPSO) and AIX Note:
Since 4.1 SP3 is the most recent version of VPN-1/FireWall-1 released for these platforms, the hotfix for these will be released for 4.1 SP3. Future service packs will incorporate the fix.
Who is affected:
All installations of VPN-1/FireWall-1 that allow remote GUI connections should be assumed vulnerable to this exploit. It should be noted again that the attack must be made by an authorized and valid VPN-1/FireWall-1 administrator connecting from an authorized GUI client station.
Immediate workaround:
Restrict remote GUI access for read/only firewall administrators; review list of administrators and authorized GUI clients.
Changes made in the hotfix:
Improper string formatting statements have been converted to secure ones in this hotfix and all future releases. This has no other impact on firewall operation.
Download information:
For AIX, HPUX, Linux, Solaris, Windows NT & Windows 2000 select the following options from the Software Subscription Download Site:
Product: VPN-1/ FireWall-1 or Provider-1
Version: 4.1
Operating System: [Appropriate OS]
Encryption: [VPN+Des or VPN+Strong]
SP/Patch Level: [Appropriate Hotfix]
For IPSO 3.3 select the following options from the Software Subscription Download Site:
Product: Nokia IP Series Appliance
Version: 4.1
Operating System: IPSO 3.3
Encryption: [VPN+Des or VPN+Strong]
SP/Patch Level: Format String Hotfix for SP3 (IPSO 3.3 Only)
|
|
|
|
|
|
|
