发布时间 :1999-07-29 00:00:00
修订时间 :2008-09-09 08:35:21

[原文]Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems.



- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:checkpoint:firewall-1:4.0Checkpoint Firewall-1 4.0
cpe:/a:checkpoint:firewall-1:3.0Checkpoint Firewall-1 3.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

低危 未知
1999-07-29 00:00:00 2005-05-02 00:00:00

- 公告与补丁


- 漏洞信息 (19436)

Check Point Software Firewall-1 3.0/1 4.0 Table Saturation Denial of Service Vulnerability (EDBID:19436)
hardware dos
1999-07-29 Verified
0 Lance Spitzner
N/A [点击下载]

A denial of service condition exists in some implementations of Firewall-1 by Checkpoint Software. This denial of service attack is possible due to the way Firewall-1 handles TCP connections.

Typically to initiate a TCP connection, a SYN packet is sent to the destination host. On systems where Firewall-1 is installed, this packet is first passed through an internal stack maintained by the Firewall before it is passed onto the operating system's native stack. When Firewall-1 filters this packet, it checks it against the rule base. If the session is allowed where it's rulebase is concerned, it is added to the connections table with a timeout of 60 seconds. When the remote host responds with an ACK (Acknowledge) packet, the session is bumped up to a 3600 second timeout.

However, if you initiate a connection with an ACK packet, Firewall-1 compares it against the rule base, if allowed it is added to the connections table. However, the timeout is set to 3600 seconds and does not care if a remote system responds. You now have a session with a 1 hour timeout, even though no system responded. If this is done with a large amount of ACK packets, it will result in a full connections table. This results in your Firewall-1 refusing subsequent connections from any source effectively rendering the Firewall-1 useless in a 'failed closed' state. 

Most companies allow http outbound. Run this command as root from an internal system, I give your FW about 10 to 15 minutes. If your internal network is a 10.x.x.x, try 172.16.*.*

nmap -sP 10.*.*.*

nmap is a very powerful port scanner. With this command it does only a PING and TCP sweep (default port 80), but uses an ACK instead of a SYN.

To verify that your connections table is quickly growing, try "fw tab -t connections -s" at 10 second intervals.

Tested on ver 4.0 SP3 on Solaris x86 2.6. 		

- 漏洞信息

Check Point VPN-1/FireWall-1 Table Saturation DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Check Point VPN-1/FireWall-1 contains a flaw that may allow a remote denial of service. The issue is triggered when a remote attacker sends an abundance of ACK packets to a non-existant machine which fills the connection table, and will result in loss of availability for the firewall.

- 时间线

1999-07-29 Unknow
1999-07-29 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workarounds: 1. Create a rule that hinders the ability to insert ACK packets into the connection table 2. Increase the size of the connections table 3. Reduce the default TCP timeout

- 相关参考

- 漏洞作者