Check Point FireWall-1/VPN-1 Component Can Be Crashed By Remote Users Sending Syslog Messages in Certain Cases
|
|
SecurityTracker Alert ID: 1006355 |
|
SecurityTracker URL: http://securitytracker.com/id/1006355
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Mar 24 2003
|
Original Entry Date: Mar 21 2003
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): NG FP3 and NG FP3 HF1
|
Description:
A denial of service vulnerability was reported in Check Point's FireWall-1/VPN-1 software. If configured to collect syslog messages from other devices, a remote user can cause the SmartTracker logging mechanism to crash.
It is reported that a remote user could send "excessive" amounts of data via a syslog connection to cause the SmartTracker logging mechanism on the target firewall to experience high CPU utilization rates. According to a report by AERAsec, this can cause SmartTracker to crash without notice. The service must be manually restarted to return to normal operations.
The syslog daemon is not enabled by default.
Check Point also reported that escape characters are not filtered from the syslog log files when viewed with the command-line utility. According to the report, they are properly removed when viewed via the GUI.
Check Point credits Dr. Peter Bieringer of AERAsec Network Services and Security GmbH for reporting this flaw.
|
Impact:
A remote user can cause the firewall's SmartTracker service to crash.
|
Solution:
Check Point has reportedly fixed the denial of service issue in NG FP3 HF2. For more information on the hot fix, see:
http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html
Check Point also reports that a future release of VPN-1/FireWall-1 will remove the escape characters from syslog log files when viewed via the command line utility.
Versions prior to NG FP3 are reportedly not vulnerable, as they do not include the affected syslog daemon.
|
Vendor URL: www.checkpoint.com/techsupport/alerts/syslog.html (Links to External Site)
|
Cause:
Resource error
|
Underlying OS:
Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 21 Mar 2003 09:58:31 -0500
Subject: Check Point syslog bug
|
http://www.checkpoint.com/techsupport/alerts/syslog.html
FireWall-1/VPN-1 security alert:
Check Point issued a security alert warning that a remote user could send "excessive" amounts of
data via a syslog connection to cause the SmartTracker logging mechanism on the target firewall to
experience high CPU utilization rates. According to a report by AERAsec, this can cause
SmartTracker to crash without notice. The service must be manually restarted to return to normal
operations.
The syslog daemon is not enabled by default.
Check Point also reported that escape characters are not filtered from the syslog log files when
viewed with the command-line utility. According to the report, they are properly removed when
viewed via the GUI.
Check Point has reportedly fixed the denial of service issue in NG FP3 HF2. For more information on
the hot fix, see:
http://www.checkpoint.com/techsupport/ng/fp3_hotfix.html
Check Point also reports that a future release of VPN-1/FireWall-1 will remove the escape characters
from syslog log files when viewed via the command line utility.
Check Point credits Dr. Peter Bieringer of AERAsec Network Services and Security GmbH for reporting
this flaw.
|
|
