Details of VAR-200310-0057

ID

VAR-200310-0057

CVE

CVE-2003-0757

TITLE

Check Point Firewall-1 SecuRemote Internal Interface Address Information Disclosure Vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200310-068

DESCRIPTION

Check Point FireWall-1 4.0 and 4.1 before SP5 allows remote attackers to obtain the IP addresses of internal interfaces via certain SecuRemote requests to TCP ports 256 or 264, which leaks the IP addresses in a reply packet. An information leakage issue has been discovered in Check Point Firewall-1. Because of this, an attacker may gain sensitive information about network resources. Check Point FireWall-1 4.0 and 4.1 (prior to SP5) include SecuRemote which allows mobile users to connect to the internal network using encrypted and authenticated sessions. Connect to TCP port 256 of Firewall-1 version 4.0 and 4.1 via telnet, and enter the following characters: aa<CR> aa<CR> The IP address of the firewall will be returned in binary form. In addition, when using SecuRemote to connect to the TCP port 264 of the firewall, if you use a packet sniffer to intercept the data transmission, you can see the IP address information similar to the following: 15:45:44.029883 192.168.1.1.264 > 10.0.0.1.1038: P 5: 21(16) ack 17 win 8744 (DF) 0x0000 4500 0038 a250 4000 6e06 5b5a ca4d b102 E..8.P@.n.[ZM. 0x0010 5102 42c3 0108 040e 1769 fb25 cdc0....8a .i.\\%...6 0x0020 5018 2228 fa32 0000 0000 000c c0a8 0101 P.\"(.2.......M.. 0x0030 c0a8 0a01 c0a8 0e01 ........ c0a8 0101 = 192.168.1.1 c0a8 0a01 = 192.168.10.1 c0a8 0e01 = 192.168.14.1

Trust: 1.26

sources: NVD: CVE-2003-0757 // BID: 8524 // VULHUB: VHN-7582

AFFECTED PRODUCTS

vendor:	checkpoint	model:	firewall-1	scope:	eq	version:	4.0	Trust: 1.6
vendor:	checkpoint	model:	firewall-1	scope:	eq	version:	4.1	Trust: 1.6
vendor:	check	model:	point software firewall-1 sp4	scope:	eq	version:	4.1	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp3	scope:	eq	version:	4.1	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp2	scope:	eq	version:	4.1	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp1	scope:	eq	version:	4.1	Trust: 0.3
vendor:	check	model:	point software firewall-1	scope:	eq	version:	4.1	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp8	scope:	eq	version:	4.0	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp7	scope:	eq	version:	4.0	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp6	scope:	eq	version:	4.0	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp5	scope:	eq	version:	4.0	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp4	scope:	eq	version:	4.0	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp3	scope:	eq	version:	4.0	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp2	scope:	eq	version:	4.0	Trust: 0.3
vendor:	check	model:	point software firewall-1 sp1	scope:	eq	version:	4.0	Trust: 0.3
vendor:	check	model:	point software firewall-1	scope:	eq	version:	4.0	Trust: 0.3

sources: BID: 8524 // CNNVD: CNNVD-200310-068 // NVD: CVE-2003-0757

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2003-0757
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-200310-068
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-7582
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2003-0757
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-7582
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-7582 // CNNVD: CNNVD-200310-068 // NVD: CVE-2003-0757

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2003-0757

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200310-068

TYPE

Design Error

Trust: 0.9

sources: BID: 8524 // CNNVD: CNNVD-200310-068

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-7582

EXTERNAL IDS

db:	NVD	id:	CVE-2003-0757	Trust: 2.0
db:	CNNVD	id:	CNNVD-200310-068	Trust: 0.7
db:	BUGTRAQ	id:	20030902 IRM 007: THE IP ADDRESSES OF CHECK POINT FIREWALL-1 INTERNAL INTERFACES MAY BE ENUMERATED USING SECUREMOTE	Trust: 0.6
db:	BID	id:	8524	Trust: 0.4
db:	EXPLOIT-DB	id:	23087	Trust: 0.1
db:	SEEBUG	id:	SSVID-76867	Trust: 0.1
db:	VULHUB	id:	VHN-7582	Trust: 0.1

sources: VULHUB: VHN-7582 // BID: 8524 // CNNVD: CNNVD-200310-068 // NVD: CVE-2003-0757

REFERENCES

url:	http://archives.neohapsis.com/archives/bugtraq/2003-09/0018.html	Trust: 1.7
url:	http://www.checkpoint.com/techsupport/	Trust: 0.3
url:	/archive/1/335808	Trust: 0.3

sources: VULHUB: VHN-7582 // BID: 8524 // CNNVD: CNNVD-200310-068 // NVD: CVE-2003-0757

CREDITS

Jim Becher advisories.irmplc@com)

Trust: 0.6

sources: CNNVD: CNNVD-200310-068

SOURCES

db:	VULHUB	id:	VHN-7582
db:	BID	id:	8524
db:	CNNVD	id:	CNNVD-200310-068
db:	NVD	id:	CVE-2003-0757

LAST UPDATE DATE

2024-08-14T14:42:22.487000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-7582	date:	2008-09-05T00:00:00
db:	BID	id:	8524	date:	2009-07-11T23:56:00
db:	CNNVD	id:	CNNVD-200310-068	date:	2005-10-20T00:00:00
db:	NVD	id:	CVE-2003-0757	date:	2008-09-05T20:35:10.467

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-7582	date:	2003-10-20T00:00:00
db:	BID	id:	8524	date:	2001-07-17T00:00:00
db:	CNNVD	id:	CNNVD-200310-068	date:	2003-09-02T00:00:00
db:	NVD	id:	CVE-2003-0757	date:	2003-10-20T04:00:00