|发布时间 :1999-10-20 00:00:00|
|修订时间 :2008-09-09 08:36:08|
[原文]Firewall-1 does not properly restrict access to LDAP attributes.
[CNNVD]Check Point防火墙- 1 LDAP验证漏洞(CNNVD-199910-033)
- CVSS (基础分值)
- CPE (受影响的平台与产品)
- OVAL (用于检测的技术细节)
(UNKNOWN) BUGTRAQ 19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication
(UNKNOWN) BID 725
(UNKNOWN) OSVDB 1117
|Check Point防火墙- 1 LDAP验证漏洞|
|1999-10-20 00:00:00||2006-01-04 00:00:00|
Check Point Support
Resolution: After investigation, Check Point Software confirms this as the appropriate behavior with "standard" checked in "Required Sign On" field under "Client Authentication". In other words, when using "standard" sign-on, the "Destination" field under "Client Authentication" properties cannot be intersected with the user database property which defines user access to specific destinations. Accordingly, the "Destination" field is grayed out in the Client Authentication Action Properties. This information is documented on Page 534 of VPN-1/FW-1 Administration Guide where it is stated that under such circumstances, the "Destination" field is automatically set to "Ignore User Database" and that the user can access all destinations allowed by the rule. The VPN-1/FW-1 GUI can cause confusion because it simply grays out the value set in "Destination" field instead of setting it to "Ignore User Database". But internally, the "Destination" value is set to "Ignore User Database". The GUI will be amended in the subsequent release of VPN-1/FW-1 to make this more clear. It is important to note that the "Source" field can be intersected with user database even if standard sign-on is selected under Client Authentication.
Also, this behavior is independent of whether the user is defined in VPN-1/FW-1 internal database or an external LDAP-complaint directory server.
If one would like to enforce the "allowed-destinations" attribute (defined for each user) under Client Authentication Rule, the "Required Sign On" field must be set to "Specific", and an appropriate Sign-On Method should be selected.
This limitation does not exist under User Authentication Rules.
|Check Point FireWall-1 LDAP fw1allowed-dst Access|
|Remote / Network Access||Misconfiguration|
|Loss of Confidentiality|
|Check Point FireWall-1 was reported to have a flaw that allowed LDAP authenticated users to access more resources than the firewall was intended to allow. The issue is due to the "fw1allowed-dst" rule apparently ignoring the LDAP attribute and granting access to "any" instead. Check Point has responded that this is the desired behavior and working as intended.|
|At this time there are no known upgrades, patches, or workarounds available to correct this issue.|