ID

VAR-199910-0020


CVE

CVE-1999-0895


TITLE

Check Point Firewall - 1 LDAP Verification vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-199910-033

DESCRIPTION

Firewall-1 does not properly restrict access to LDAP attributes. With FireWall-1 Version 4.0 Checkpoint introduced support for the Lightweight Directory Access Protocol (LDAP) for user authentication. It looks like there's a bug in Checkpoint's ldap code which under certain circumstances can lead to unauthorized access to protected systems behind the firewall. A user can authenticate himself at the firewall providing a valid username and password. The firewall acts as a ldap client, validating the credentials by a directory server using the ldap protocol. After successful authentication access will be granted to systems protected by the firewall. In contrast to authentication using the Radius or SecurID protocol, after successful authentication the directory server can supply the firewall with additional ldap attributes for the user like the time and day of a week a user is allowed to login, the source addresses a user can run a client from, or the system behind the firewall a user is allowed to access. This can be done individual for each user. In general I think that's a great idea but it seems Checkpoint made something wrong interpreting the ldap attribute 'fw1allowed-dst' which is supposed to control in detail which protected network object a user can access. It seems this attribute is ignored by the firewall software, granting access to all protected network objects instead. Example: ------ Server 'Foo' | Internet --- FW-1 ---| | ------ Server 'Bar' Supposed there's a user 'Sid' with access only to Server 'Foo', and a second user 'Nancy' with access restricted to Server 'Bar', both controlled by the ldap protocol, using the ldap attribute 'fw1allowed-dst'. The bug will cause that both, Sid and Nancy, will have access to Foo and to Bar. [Quoted from the post by Olaf Selke with permission]

Trust: 1.26

sources: NVD: CVE-1999-0895 // BID: 725 // VULHUB: VHN-876

AFFECTED PRODUCTS

vendor:checkpointmodel:firewall-1scope:eqversion:4.0

Trust: 1.6

vendor:checkmodel:point software firewall-1scope:eqversion:4.0

Trust: 0.3

vendor:checkmodel:point software firewall-1scope:neversion:3.0

Trust: 0.3

sources: BID: 725 // CNNVD: CNNVD-199910-033 // NVD: CVE-1999-0895

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-1999-0895
value: HIGH

Trust: 1.0

CNNVD: CNNVD-199910-033
value: HIGH

Trust: 0.6

VULHUB: VHN-876
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-1999-0895
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-876
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-876 // CNNVD: CNNVD-199910-033 // NVD: CVE-1999-0895

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-1999-0895

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-199910-033

TYPE

access verification error

Trust: 0.6

sources: CNNVD: CNNVD-199910-033

EXTERNAL IDS

db:BIDid:725

Trust: 2.0

db:NVDid:CVE-1999-0895

Trust: 1.7

db:OSVDBid:1117

Trust: 1.7

db:CNNVDid:CNNVD-199910-033

Trust: 0.7

db:BUGTRAQid:19991020 CHECKPOINT FIREWALL-1 V4.0: POSSIBLE BUG IN LDAP AUTHENTICATION

Trust: 0.6

db:VULHUBid:VHN-876

Trust: 0.1

sources: VULHUB: VHN-876 // BID: 725 // CNNVD: CNNVD-199910-033 // NVD: CVE-1999-0895

REFERENCES

url:http://www.securityfocus.com/bid/725

Trust: 2.7

url:http://www.osvdb.org/1117

Trust: 2.7

url:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991020150002.21047.qmail%40tarjan.mediaways.net

Trust: 2.0

url:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991020150002.21047.qmail@tarjan.mediaways.net

Trust: 0.7

url:http://www.checkpoint.com/techsupport/

Trust: 0.3

url:http://www.enteract.com/~lspitz/fwtable.html

Trust: 0.3

url: -

Trust: 0.1

sources: VULHUB: VHN-876 // BID: 725 // CNNVD: CNNVD-199910-033 // NVD: CVE-1999-0895

CREDITS

This vulnerability was posted to the Bugtraq mailing list by Olaf Selke <olaf.selke@mediaways.net> on Wed, 20 Oct 1999.

Trust: 0.9

sources: BID: 725 // CNNVD: CNNVD-199910-033

SOURCES

db:VULHUBid:VHN-876
db:BIDid:725
db:CNNVDid:CNNVD-199910-033
db:NVDid:CVE-1999-0895

LAST UPDATE DATE

2024-11-22T23:15:30.205000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-876date:2008-09-09T00:00:00
db:BIDid:725date:1999-10-20T00:00:00
db:CNNVDid:CNNVD-199910-033date:2006-01-04T00:00:00
db:NVDid:CVE-1999-0895date:2024-11-20T23:29:47.593

SOURCES RELEASE DATE

db:VULHUBid:VHN-876date:1999-10-20T00:00:00
db:BIDid:725date:1999-10-20T00:00:00
db:CNNVDid:CNNVD-199910-033date:1999-10-20T00:00:00
db:NVDid:CVE-1999-0895date:1999-10-20T04:00:00