===================================================================== CERT-Renater Note d'Information No. 2009/VULN011 _____________________________________________________________________ DATE : 09/01/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running VPN-1 Power/UTM. ====================================================================== https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk36321 ______________________________________________________________________ Solution ID: sk36321 Check Point response to "VPN-1 PAT information disclosure" vulnerability Product: VPN-1 Power/UTM Version: NGX R65 Last Modified: 28-déc.-2008 Symptoms * On November 14, 2008 Portcullis Computer Security published the "Checkpoint VPN-1 PAT information disclosure" advisory. * Check Point confirms this behavior. This is relevant for all port forwarding configurations. Refer to detailed description of the configuration below. * Severity of this vulnerability is Low. Cause # The published issue occurs in the following configuration: A manual NAT rule is used to configure port forwarding to an internal server with non-routable IP address. Example of the Manual rule: ORIGINAL PACKET TRANSLATED PACKET SOURCE External IP address External IP address DESTINATION Gateway external IP address Internal server IP address SERVICE HTTP HTTP An attacker may send a TCP SYN packet to the gateway external IP on port 80 with low TTL. The gateway will send an ICMP Time Exceeded Message with the discarded packet in the payload. The payload contains internal IP address because it was not translated by the NAT mechanism. This leads to disclosure of the internal server IP address. Solution Check Point Support offers a Hotfix to resolve this issue. For VPN-1 Power/UTM NGX R65 upgrade to HFA_30 and install the following HotFix: * VPN-1 Power/UTM NGX R65 HFA_30 Supplement 5 for Windows md5: 8f02db5276620cd2d612e5d5ba86f24b * VPN-1 Power/UTM NGX R65 HFA_30 Supplement 5 for IPSO md5: 6bb796d6c5c7b0778291d1674d248c61 * VPN-1 Power/UTM NGX R65 HFA_30 Supplement 5 for SecurePlatform md5: d8845a28933e857933af0b82253a392d * VPN-1 Power/UTM NGX R65 HFA_30 Supplement 5 for Solaris md5: f142d51381a7e1069331ba900ec8a542 For all other versions contact Check Point Support to request a Hotfix that resolves this issue. To contact Support either call one of the Worldwide Technical Assistance Centers at: Americas: 972-444-6600 or International: +972-3-6115100, or submit a service request through http://www.checkpoint.com/sr. If you choose not to install the above HotFix, the following workaround is available: 1. In the SmartDashboard go to Policy -> Global Properties -> Stateful Inspection. 2. Clear the “Errors” checkbox under the "Accept Stateful ICMP" section to block the ICMP errors. 3. Install the Security Policy. ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================