Bugtraq mailing list archives

Re: Check Point FW-1: attack against syslog daemon possible

From: "Dr. Peter Bieringer" <pbieringer () aerasec de>
Date: Thu, 27 Mar 2003 11:59:49 +0100

Hi again,

now we are finished the investigation of FW-1 4.1 (SP6) with followingresult:

In our lab the syslog daemon of Check Point FW-1 4.1 didn't crash in caseof sending "/dev/urandom" via "nc", but this floods the log without anyrate limiting.


Also the syslog messages were not filtered.

Note also that that improving the ruleset didn't help in cases wheretrusted and untrusted nodes are sharing the same network, because in UDPpackets the sender IP address can be spoofed (successfully tested with"sendip" against FW-1 4.1).

To avoid spoofing, only MAC based ACLs on gateways (if available) will helpor establishing a dedicated (V)LAN for trusted sources only.



We've updated our advisory once again:

http://www.aerasec.de/security/advisories/txt/
checkpoint-fw1-ng-fp3-syslog-crash.txt
http://www.aerasec.de/security/advisories/
checkpoint-fw1-ng-fp3-syslog-crash.html


Hope this helps,
        Peter
--
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Straße 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer () aerasec de
Germany                                Internet: http://www.aerasec.de

Current thread:

Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible Dr. Peter Bieringer (Mar 21)
- Message not available
  - Re: Check Point FW-1: attack against syslog daemon possible Dr. Peter Bieringer (Mar 27)