发布时间 :1999-10-20 00:00:00
修订时间 :2008-09-09 08:36:08

[原文]Firewall-1 does not properly restrict access to LDAP attributes.

[CNNVD]Check Point防火墙- 1 LDAP验证漏洞(CNNVD-199910-033)


- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication

- 漏洞信息

Check Point防火墙- 1 LDAP验证漏洞
高危 访问验证错误
1999-10-20 00:00:00 2006-01-04 00:00:00

- 公告与补丁

        Check Point Support emailed the following information to
        Resolution: After investigation, Check Point Software confirms this as the appropriate behavior with "standard" checked in "Required Sign On" field under "Client Authentication". In other words, when using "standard" sign-on, the "Destination" field under "Client Authentication" properties cannot be intersected with the user database property which defines user access to specific destinations. Accordingly, the "Destination" field is grayed out in the Client Authentication Action Properties. This information is documented on Page 534 of VPN-1/FW-1 Administration Guide where it is stated that under such circumstances, the "Destination" field is automatically set to "Ignore User Database" and that the user can access all destinations allowed by the rule. The VPN-1/FW-1 GUI can cause confusion because it simply grays out the value set in "Destination" field instead of setting it to "Ignore User Database". But internally, the "Destination" value is set to "Ignore User Database". The GUI will be amended in the subsequent release of VPN-1/FW-1 to make this more clear. It is important to note that the "Source" field can be intersected with user database even if standard sign-on is selected under Client Authentication.
        Also, this behavior is independent of whether the user is defined in VPN-1/FW-1 internal database or an external LDAP-complaint directory server.
        If one would like to enforce the "allowed-destinations" attribute (defined for each user) under Client Authentication Rule, the "Required Sign On" field must be set to "Specific", and an appropriate Sign-On Method should be selected.
        This limitation does not exist under User Authentication Rules.

- 漏洞信息

Check Point FireWall-1 LDAP fw1allowed-dst Access
Remote / Network Access Misconfiguration
Loss of Confidentiality
Exploit Public

- 漏洞描述

Check Point FireWall-1 was reported to have a flaw that allowed LDAP authenticated users to access more resources than the firewall was intended to allow. The issue is due to the "fw1allowed-dst" rule apparently ignoring the LDAP attribute and granting access to "any" instead. Check Point has responded that this is the desired behavior and working as intended.

- 时间线

1999-10-20 Unknow
Unknow Unknow

- 解决方案

At this time there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者