Dr. Peter Bieringer
28/03/03, 02:20
Hi again,
now we are finished the investigation of FW-1 4.1 (SP6) with following=20
result:
In our lab the syslog daemon of Check Point FW-1 4.1 didn't crash in case=20
of sending "/dev/urandom" via "nc", but this floods the log without any=20
rate limiting.
Also the syslog messages were not filtered.
Note also that that improving the ruleset didn't help in cases where=20
trusted and untrusted nodes are sharing the same network, because in UDP=20
packets the sender IP address can be spoofed (successfully tested with=20
"sendip" against FW-1 4.1).
To avoid spoofing, only MAC based ACLs on gateways (if available) will help =
or establishing a dedicated (V)LAN for trusted sources only.
We've updated our advisory once again:
http://www.aerasec.de/security/advisories/txt/
checkpoint-fw1-ng-fp3-syslog-crash.txt
http://www.aerasec.de/security/advisories/
checkpoint-fw1-ng-fp3-syslog-crash.html
Hope this helps,
Peter
--=20
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Stra=DFe 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn E-Mail: pbieringer@aerasec.de
Germany Internet: http://www.aerasec.de
now we are finished the investigation of FW-1 4.1 (SP6) with following=20
result:
In our lab the syslog daemon of Check Point FW-1 4.1 didn't crash in case=20
of sending "/dev/urandom" via "nc", but this floods the log without any=20
rate limiting.
Also the syslog messages were not filtered.
Note also that that improving the ruleset didn't help in cases where=20
trusted and untrusted nodes are sharing the same network, because in UDP=20
packets the sender IP address can be spoofed (successfully tested with=20
"sendip" against FW-1 4.1).
To avoid spoofing, only MAC based ACLs on gateways (if available) will help =
or establishing a dedicated (V)LAN for trusted sources only.
We've updated our advisory once again:
http://www.aerasec.de/security/advisories/txt/
checkpoint-fw1-ng-fp3-syslog-crash.txt
http://www.aerasec.de/security/advisories/
checkpoint-fw1-ng-fp3-syslog-crash.html
Hope this helps,
Peter
--=20
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Stra=DFe 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn E-Mail: pbieringer@aerasec.de
Germany Internet: http://www.aerasec.de