Re: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible

[Rizan Sheikh Mohd <sheikhrizan () rocketmail com>]

In-Reply-To: <1779CE9992706F45BDC9575124A5AAE50122188A () a0001-xpo0114-s hodc ad allstate com>

Not exactly cause I have CPK FW-1 NG FP2 Build 52163. The logging server & 
management are separated. It seems that syslog is running on port 514udp:

$ ps -aef | grep syslog
root      7239  7231  0 Mar23 ?        00:00:01 syslog 514 all

Maybe the wording Checkpoint used on their web site.
"Prior to the release of NG FP3 HF2......." really does include ALL 
releases before FP3 

Rizan


> Received: (qmail 16221 invoked from network); 21 Mar 2003 23:10:48 -0000
> Received: from outgoing2.securityfocus.com (HELO 
outgoing.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 21 Mar 2003 23:10:48 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing.securityfocus.com (Postfix) with QMQP
>       id 337008F31B; Fri, 21 Mar 2003 16:10:34 -0700 (MST)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 1533 invoked from network); 21 Mar 2003 18:47:50 -0000
> Message-ID: <1779CE9992706F45BDC9575124A5AAE50122188A@a0001-xpo0114-
s.hodc.ad.allstate.com>
> From: "Hines, Eric" <ehin4 () allstate com>
> To: dchesterfield () bankofny com
> Subject: RE: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog 
>               daemon possible
> Date: Fri, 21 Mar 2003 12:59:20 -0600
> MIME-Version: 1.0
> X-Mailer: Internet Mail Service (5.5.2653.19)
> content-class: urn:content-classes:message
> Content-Type: text/plain;
>       charset="iso-8859-1"
>
> Alright. I was just concerned because of the wording Checkpoint used on
> their web site.
> "Prior to the release of NG FP3 HF2......."
>
> I'm going to assume they were referring to the HF2 portion of that, and 
not
> < FP3
>
>
> Eric Hines
>
>
>
> -----Original Message-----
> From: dchesterfield () bankofny com [mailto:dchesterfield () bankofny com]
> Sent: Friday, March 21, 2003 12:53 PM
> To: Hines, Eric
> Cc: Maillist Bugtraq; Dr. Peter Bieringer
> Subject: Re: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against
> syslog daemon possible
>
>
>
> The daemon was apparently only introduced since FP3
>
>
>
>
>
>                      "Hines, Eric"
>
>                      <ehin4@allstate.c        To:       "Dr. Peter
> Bieringer" <pbieringer () aerasec de>, Maillist Bugtraq                 
>                      om>                       
<bugtraq () securityfocus com>
>                                               cc:
>
>                      21/03/2003 06:31         Subject:  Re: Check Point
> FW-1 NG FP3 & FP3 HF1: DoS attack against syslog        daemon  
>                      pm                        possible
>
>
>
>
>
>
>
> Has anyone tested these vulnerabilities on NG FP1 or are they strictly
> related to FP3?
>
> Eric Hines
>
>
>
>
> -----Original Message-----
> From: Dr. Peter Bieringer [mailto:pbieringer () aerasec de]
> Sent: Friday, March 21, 2003 6:47 AM
> To: Maillist Bugtraq; Maillist full-disclosure
> Subject: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog
> daemon possible
>
>
> Hi all,
>
> interesting for all Check Point FW-1 NG users which have enabled the
> since
> FP3 included syslog daemon.