By sending crafted packets to ports on the Checkpoint Firewall which are mapped by port address translation (PAT) to ports on internal devices, information about the internal network may be disclosed in the resulting ICMP error packets.
Port 18264/tcp on the Checkpoint Firewall is typically configured in such a manner that it is mapped by the port address translation (PAT), with packets to this port being re-written to reach the Firewall management server. When the time-to-live (TTL) is set low, the Firewall fails to correctly sanitize the encapsulated IP headers in ICMP time-to-live exceeded packets resulting in the internal IP address being disclosed. For example:
The response was elicited by sending a packet (from 22.214.171.124) to port 18264/tcp on the Firewall's interface. The TTL was set low, so the Firewall could not forward it on.
The destination address on the encapsulated IP packet is the address of the Firewall management server. Note: This can be exploited whether the port is detected as being open or closed by a port scan of the Firewall's interface.
An attacker could use this to determine the internal IP address of the Firewall management server.
11/09/2008 - Vendor informed via email.
23/09/2008 - Vendor Informed via email.
24/10/2008 - Vendor informed of publication intention