[Full-Disclosure] Re: Check Point FW-1: attack against syslog daemon possible

From: Dr. Peter Bieringer (pbieringer@aerasec.de)
Date: 03/27/03

Next message: debian-security-announce@lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 271-1] New ecartis and listar packages fix password change vulnerability"

Previous message: Muhammad Faisal Rauf Danka: "[Full-Disclosure] Fwd: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino"
In reply to: Dr. Peter Bieringer: "Re: [Full-Disclosure] Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Dr. Peter Bieringer" <pbieringer@aerasec.de>
To: Maillist Bugtraq <bugtraq@securityfocus.com>, Maillist full-disclosure <full-disclosure@lists.netsys.com>
Date: Thu, 27 Mar 2003 11:59:49 +0100

Hi again,

now we are finished the investigation of FW-1 4.1 (SP6) with following
result:

In our lab the syslog daemon of Check Point FW-1 4.1 didn't crash in case
of sending "/dev/urandom" via "nc", but this floods the log without any
rate limiting.

Also the syslog messages were not filtered.

Note also that that improving the ruleset didn't help in cases where
trusted and untrusted nodes are sharing the same network, because in UDP
packets the sender IP address can be spoofed (successfully tested with
"sendip" against FW-1 4.1).

To avoid spoofing, only MAC based ACLs on gateways (if available) will help
or establishing a dedicated (V)LAN for trusted sources only.

We've updated our advisory once again:

http://www.aerasec.de/security/advisories/txt/
checkpoint-fw1-ng-fp3-syslog-crash.txt
http://www.aerasec.de/security/advisories/
checkpoint-fw1-ng-fp3-syslog-crash.html

Hope this helps,
Peter

-- 
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Straße 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@aerasec.de
Germany                                Internet: http://www.aerasec.de
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: debian-security-announce@lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 271-1] New ecartis and listar packages fix password change vulnerability"

Previous message: Muhammad Faisal Rauf Danka: "[Full-Disclosure] Fwd: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino"
In reply to: Dr. Peter Bieringer: "Re: [Full-Disclosure] Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]