Vulnerability Note VU#310295

Check Point RDP Bypass Vulnerability

Original Release date: 09 Jul 2001 | Last revised: 09 Apr 2003

Overview

Check Point VPN-1/FireWall-1 version 4.0 & 4.1 may allow an intruder to pass traffic through the firewall on port 259.

Description

Firewall-1 and VPN-1 include support for RDP, but do not provide adequate security controls for RDP data. By adding a faked RDP header to typical UDP traffic, any content can be passed to port 259 on any host on either side of the device.

Impact

An attacker who exploits this vulnerability can build a tunnel to bypass the firewall and pass traffic to and from arbitrary hosts on either side of the firewall on port 259.

Solution

Apply patch from vendor.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Check PointAffected11 Jun 200109 Jul 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The vulnerability was discovered by Jochen Bauer <jtb@inside-security.de> and Boris Wesslowski <bw@inside-security.de> of Inside Security GmbH Stuttgart, Germany.

This document was written by Ian A. Finlay.

Other Information

  • CVE IDs: CVE-2001-1158
  • CERT Advisory: CA-2001-17
  • Date Public: 09 Jul 2001
  • Date First Published: 09 Jul 2001
  • Date Last Updated: 09 Apr 2003
  • Severity Metric: 51.30
  • Document Revision: 57

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.