ID
VAR-199907-0025
CVE
CVE-1999-0770
TITLE
Firewall-1 Denial of service vulnerability
Trust: 0.6
DESCRIPTION
Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems. A denial of service condition exists in some implementations of Firewall-1 by Checkpoint Software. This denial of service attack is possible due to the way Firewall-1 handles TCP connections. Typically to initiate a TCP connection, a SYN packet is sent to the destination host. On systems where Firewall-1 is installed, this packet is first passed through an internal stack maintained by the Firewall before it is passed onto the operating system's native stack. When Firewall-1 filters this packet, it checks it against the rule base. If the session is allowed where it's rulebase is concerned, it is added to the connections table with a timeout of 60 seconds. When the remote host responds with an ACK (Acknowledge) packet, the session is bumped up to a 3600 second timeout. However, if you initiate a connection with an ACK packet, Firewall-1 compares it against the rule base, if allowed it is added to the connections table. However, the timeout is set to 3600 seconds and does not care if a remote system responds. You now have a session with a 1 hour timeout, even though no system responded. If this is done with a large amount of ACK packets, it will result in a full connections table. This results in your Firewall-1 refusing subsequent connections from any source effectively rendering the Firewall-1 useless in a 'failed closed' state
Trust: 1.26
AFFECTED PRODUCTS
| vendor: | checkpoint | model: | firewall-1 | scope: | eq | version: | 4.0 | Trust: 1.6 |
| vendor: | checkpoint | model: | firewall-1 | scope: | eq | version: | 3.0 | Trust: 1.6 |
| vendor: | check | model: | point software firewall-1 | scope: | eq | version: | 4.0 | Trust: 0.3 |
| vendor: | check | model: | point software firewall-1 | scope: | eq | version: | 3.0 | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | NVD-CWE-Other | Trust: 1.0 |
THREAT TYPE
local
Trust: 0.6
TYPE
unknown
Trust: 0.6
EXPLOIT AVAILABILITY
EXTERNAL IDS
| db: | BID | id: | 549 | Trust: 2.0 |
| db: | NVD | id: | CVE-1999-0770 | Trust: 1.7 |
| db: | OSVDB | id: | 1027 | Trust: 1.7 |
| db: | CNNVD | id: | CNNVD-199907-034 | Trust: 0.7 |
| db: | EXPLOIT-DB | id: | 19436 | Trust: 0.1 |
| db: | VULHUB | id: | VHN-751 | Trust: 0.1 |
REFERENCES
| url: | http://www.securityfocus.com/bid/549 | Trust: 1.7 |
| url: | http://www.osvdb.org/1027 | Trust: 1.7 |
| url: | http://www.enteract.com/~lspitz/fwtable.html | Trust: 0.3 |
| url: | http://www.phoneboy.com/fw1/faq/0289.html | Trust: 0.3 |
| url: | - | Trust: 0.1 |
CREDITS
This problem was discovered and documented by Lance Spitzner <lance@spitzner.net>. This discovery was posted by Lance to the Bugtraq mailing list on Thu, 29 Jul 1999. Both the discussion and exploit section of this Vulnerability were almost wholly derived
Trust: 0.3
SOURCES
| db: | VULHUB | id: | VHN-751 |
| db: | BID | id: | 549 |
| db: | CNNVD | id: | CNNVD-199907-034 |
| db: | NVD | id: | CVE-1999-0770 |
LAST UPDATE DATE
2024-08-14T14:29:41.221000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-751 | date: | 2008-09-09T00:00:00 |
| db: | BID | id: | 549 | date: | 1999-07-29T00:00:00 |
| db: | CNNVD | id: | CNNVD-199907-034 | date: | 2005-05-02T00:00:00 |
| db: | NVD | id: | CVE-1999-0770 | date: | 2008-09-09T12:35:21.680 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-751 | date: | 1999-07-29T00:00:00 |
| db: | BID | id: | 549 | date: | 1999-07-29T00:00:00 |
| db: | CNNVD | id: | CNNVD-199907-034 | date: | 1999-07-29T00:00:00 |
| db: | NVD | id: | CVE-1999-0770 | date: | 1999-07-29T04:00:00 |