A vulnerability in Check Point VPN-1/FireWall-1 running on Nokia IPXXX Appliances can allow an attacker to pass traffic allowed by the security policy through the firewall while retaining the external (untranslated) destination IP address.
Nokia IPXXX Appliances are security devices meant to perform a variety of functions such as Network Address Translation (NAT). NAT provides a way to hide the IP addresses of a private network from the Internet while still allowing computers on that network to access the Internet. NAT can be used in many different ways, but one method frequently used is called "masquerading". Using NAT masquerading, one or more devices on a LAN can be made to appear as a single IP address to the outside Internet. In Check Point VPN-1/FireWall-1, this is referred to as "NAT Hide." This allows for multiple computers in a network to connect to the Internet without requiring the ISP to provide more than one IP address to the organization. Under certain conditions, Nokia Appliances will pass packets which are accepted by the security policy defined in the VPN-1/FireWall-1 rule base without rewriting the destination IP address on the packet. This occurs on a small percentage of packets - only the third packet of a TCP three-way handshake - and only if SYN Defender is configured in Active Gateway mode. Specifically, the appliance will pass a correctly translated packet to the locally attached subnet (locally meaning that the internal appliance interface and destination host are in the same collision domain), then retransmit the packet with the original, untranslated IP address. Inspection of the packet on the internal side of the appliance interface will reveal that the destination header of the packet contains the outside interface address and not the internal NAT'd address.
Nokia Firewall Appliances running the following software
The impact of this vulnerability is that an attacker can pass valid data which is allowed by the rulebase through your firewall with the external IP address preserved in the destination field of the packet. Note that the standard IP spoofing protection afforded by the gateway still applies, so it is not possible to use this issue in conjunction with an attack based on a spoofed internal IP address. Note also that an attacker would not be able to directly address hosts behind the firewall.
Check Point and Nokia are working jointly to resolve this issue, and further information will be posted when available. The issue will be corrected
The CERT/CC thanks Steve Rogers
This document was written by Ian A. Finlay
|Date First Published:||2001-10-08|
|Date Last Updated:||2001-10-08 13:25 UTC|