Executive Summary

Summary
Title Check Point VPN-1 information disclosure vulnerability
Informations
Name VU#992585 First vendor Publication 2008-03-18
Vendor VU-CERT Last vendor Modification 2008-03-18
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Cvss Base Score 6.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#992585

Check Point VPN-1 information disclosure vulnerability

Overview

The Check Point VPN-1 firewall contains an information disclosure vulnerability that may allow an authenticated attacker to access data that they are not authorized to access.

I. Description

The Check Point VPN-1 is an application layer firewall that supports remote and site-to-site virtual private networks (VPN).

From Check Point Solution ID sk34579

    This issue occurs in the following scenario:
    Remote Access Client (C) connects to a gateway (A). A site-to-site VPN tunnel exists between gateways (A) and (B). If the Remote Access Client (C) has an IP address which is also defined in the encryption domain of gateway (B), collisions occur: new connections meant for the afore-mentioned IP address in the encryption domain of gateway (B) would be incorrectly transferred to the Remote Access Client (C). Existing connections are not affected.

II. Impact

A remote, authenticated attacker may be able to intercept data that they are not authorized to access.

III. Solution

Upgrade

Check Point has released an update to address this vulnerability. Administrators should see Check Point Solution ID sk34579 for information about how to obtain fixed software.

Restrict access to internal network applications

Using application based access controls and encryption will mitigate this vulnerability by preventing a remote attacker from decrypting or accessing any data received from exploiting this vulnerability.

Systems Affected

VendorStatusDate Updated
Check Point Software TechnologiesVulnerable18-Mar-2008

References


https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk34579&js_peid=P-114a7ba5fd7-10001&partition=null&product=VPN-1
http://www.puresecurity.com.au/files/PureSecurity%20VPN-1%20DoS_Spoofing%20Attack%20against%20VPN%20tunnels.pdf

Credit

Thanks to Robert Mitchell of Pursecurity and Check Point for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public03/18/2008
Date First Published03/18/2008 01:07:16 PM
Date Last Updated03/18/2008
CERT Advisory 
CVE Name 
US-CERT Technical Alerts 
Metric2.36
Document Revision30

Original Source

Url : http://www.kb.cert.org/vuls/id/992585

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 1
Application 1
Application 1
Application 1

Open Source Vulnerability Database (OSVDB)

Id Description
43295 Check Point VPN-1 IP Address Collision Handling Information Disclosure