Check Point Information for VU#150227

HTTP proxy default configurations allow arbitrary TCP connections

Status

Not Affected

Vendor Statement

The most recent versions of VPN-1/FireWall-1, versions NG FP2 and 4.1 SP6, are in no way vulnerable to the HTTP Connect vulnerability described below. In addition, even in previous versions, Check Point's products did not allow "arbitrary connections"; in fact, no connections were possible unless an explicit rule existed in the rule base allowing a specific connection from the original source IP to the eventual destination IP. No escalation of privilege was granted. No bypass of HTTP content or anti-virus scanning was possible.

The only exposure, per se, was that the outbound connection from the firewall would have the firewall's source IP address when seen by the eventual target.

The simple workaround for this issue, in older product versions, was to simply have a rule on the firewall which blocks connections which come from an external IP address and are destined to an external IP address. Since connections established by the HTTP Connect method must still be validated by the rulebase, this solution (a good idea, in any case) would prevent an external hacker from "bouncing" connections through the firewall to another external system. New versions of VPN-1/FireWall-1 offer the administrator more granular control over the use of HTTP Connect.

Check Point's posted response to this issue as originally published is available at http://www.checkpoint.com/techsupport/alerts/http_connect.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

In a message posted to bugtraq (BID 4131), Volker Tanger reports that this vulnerability could allow an arbitrary TCP connection to be made through FireWall-1 4.1 SP5. Based on further public discussion and information from Check Point, it seems that while the FireWall-1 HTTP proxy service may allow arbitrary HTTP CONNECT method connections, such connections are denied unless explicitly permitted in the firewall rule base.

If you have feedback, comments, or additional information about this vulnerability, please send us email.