Re: [Full-disclosure] DNS and Checkpoint


The article you're looking at is for their SmartDefense product, an add-in to Firewall-1. Supposedly it will protect a DNS server behind the firewall from this vulnerability.

Ray

Date: Wed, 9 Jul 2008 15:00:39 +0100
From: imipak@xxxxxxxxx
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] DNS and Checkpoint

Hello everyone,

I've had a report from someone with clue (and tcpdump) that a properly
functioning DNS resolver that correctly uses randomised source ports
magically becomes vulnerable once the traffic's passed through a
Checkpoint firewall, where Dan Kaminsky's tool shows:

x.y.z.155:56978 TXID=712
x.y.z.155:56979 TXID=45713
x.y.z.155:56980 TXID=63532
x.y.z.155:56981 TXID=7243
x.y.z.155:56982 TXID=17620

(note the incrementing port numbers.)

Can anyone else confirm this behaviour?

Checkpoint are one of the dozens of vendors listed on the CERT
advisory as "Status: Unknown"
http://www.kb.cert.org/vuls/id/MIMG-7ECL6B

They do have an advisory up:
http://www.checkpoint.com/defense/advisories/public/2008/cpai-01-Jul.html

I don't have the login needed to read the whole thing, but the front
page just says:

"Protection provided by:
VPN-1: * NGX R65
* NGX R62
* NGX R61
* NGX R60
[...etc, etc...] "


cheers

=i

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Need to know now? Get instant answers with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_messenger_072008_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Website setup questions.
    ... Create firewall rule to direct HTTP port 80 to the SBS External NIC ... Create firewall rule to point DNS port 53 to the SBS External NIC ... NICS to get this request to not timeout or be refused. ...
    (microsoft.public.windows.server.sbs)
  • Re: For Microsoft Partners and Customers Who Cant Download or Access
    ... Using ipconfig /all showed the DNS IP is in fact the same IP ... as the firewall as you mentioned. ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ...
    (microsoft.public.dotnet.general)
  • Re: Setting another machine as a firewall
    ... I don't think a firewall is really the right technology to ... The alternative to implementing a proxy mail server on your firewall ... internet, then that is just a matter of writing filter rules to allow ... As far as DNS goes, combining a NAT'ing firewall with a mailserver on ...
    (freebsd-questions)
  • Re: loss of SOME connectivity
    ... I "think" it is DNS. ... Yes, I can ping the router, AND the ISP DNS. ... I cannot connect the inet cable directly to the server because the inet is ... MS firewall not started. ...
    (microsoft.public.windows.server.sbs)
  • Re: E-Mail Address Cant Receive E-Mail from *Some* External Organizations
    ... The fact that _some_ messages are delivered is because they are sent from different IPs, so double-check your firewall settings. ... So, that looks right to me, anyway; both resolve to the proper IP address of the external interface for our firewall, and the only difference is that for "company.org" our ISP's mail server acts as a backup server in case our internal mail server is down. ... However, if I send a message to "me@xxxxxxxxxxxxxxxx" from my Yahoo e-mail account, I get an NDR returned to my Yahoo account. ... I have checked with our ISP who handles our DNS settings, and they indicate that all appears to be in order with our DNS and MX records. ...
    (microsoft.public.exchange.admin)