Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x

[vanja () RELAYGROUP COM (Vanja Hrustic)]

root wrote:
> The workaround is to use Checkpoint's encrypted authentication program
> "SecuRemote" and not allow clear text authentication (browser based,
> telnet, etc.) to destinations beyond the firewall.

But you can still authenticate to the firewall, using SecuRemote - and
have unlimited number of tries. FW-1 will let you know if username
exists or not. It was tested with V4.0.

> #2
> The default configuration in FW-1 allows for rlogin management of the
> server.  The rlogin prompt is avaialable on all NICs.  Unless a rule is
> placed in your ruleset to drop or reject all connections to the
> firewall, the authentication problem above can be used to remotely
> administer someone elses firewall without them knowing.

To be honest, I don't think there is a 'default' configuration of
Firewall-1. I am not a FW-1 reseller, and I can not say if there are any
'procedures' that resellers are supposed to follow, but so far I've seen
few completely different setups of FW-1 (on Solaris). One machine was
completely 'stripped down', another one had few rpc services running
while some other one had absolutelly *everything* running. From the
outside, you can't do anything, so it's not such big deal, but once you
manage to get in internal network - it is piece of cake to 'own' a
Firewall-1 box. Not because of Firewall-1 vulnerabilities, but because
of Solaris bugs and bad firewall rules (admin not barring access to fw
from internal network). I don't think it is a Firewall-1 problem (the
problem #2); it's more of a sysadmin problem

Very good document about stripping Solaris can be found at:

http://www2.checkpoint.com/~joe/strip-sunserver.txt

You can find some other interesting documents there as well.

http://www2.checkpoint.com/~joe/

--

Vanja Hrustic
SAFER Editor

SAFER - free monthly security newsletter
Subscriptions at http://safer.siamrelay.com