Sign-up

ID

VAR-200803-0443


CVE

CVE-2008-1397


TITLE

Check Point VPN-1 information disclosure vulnerability

Trust: 0.8

sources: CERT/CC: VU#992585

DESCRIPTION

Check Point VPN-1 Power/UTM, with NGX R60 through R65 and NG AI R55 software, allows remote authenticated users to cause a denial of service (site-to-site VPN tunnel outage), and possibly intercept network traffic, by configuring the local RFC1918 IP address to be the same as one of this tunnel's endpoint RFC1918 IP addresses, and then using SecuRemote to connect to a network interface at the other endpoint. The Check Point VPN-1 firewall contains an information disclosure vulnerability that may allow an authenticated attacker to access data that they are not authorized to access. The issue occurs because the application fails to adequately handle IP address collisions. Attackers can exploit this issue to break site-to-site VPN connectivity between a VPN-1 gateway and a third party, denying access to legitimate users. If SecuRemote back-connections are enabled, the attacker can leverage this issue to re-route site-to-site VPN traffic from the VPN gateway to their SecuRemote client. Under certain conditions, this will cause data that was destined for the third party to be sent to the attacker's client instead. This could contain sensitive information that would aid in further attacks. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: CheckPoint VPN-1 IP Address Collision Security Issue SECUNIA ADVISORY ID: SA29394 VERIFY ADVISORY: http://secunia.com/advisories/29394/ CRITICAL: Less critical IMPACT: Exposure of sensitive information, DoS WHERE: >From local network SOFTWARE: Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI) http://secunia.com/product/2542/ Check Point VPN-1 UTM NGX http://secunia.com/product/13346/ Check Point VPN-1 Power NGX http://secunia.com/product/13348/ DESCRIPTION: Robert Mitchell has reported a security issue in CheckPoint VPN-1, which can lead to a DoS (Denial of Service) or disclosure of sensitive information. SOLUTION: The vendor has issued hotfixes to resolve the issue (see vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Robert Mitchell ORIGINAL ADVISORY: CheckPoint: https://secureknowledge.checkpoint.com/SecureKnowledge/login.do?OriginalAction=solution&id=sk34579 http://updates.checkpoint.com/fileserver/ID/8141/FILE/VPN-1_NGX_R65_HFA02_Supplement3.pdf Robert Mitchell: http://puresecurity.com.au/index.php?action=fullnews&id=5 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2008-1397 // CERT/CC: VU#992585 // JVNDB: JVNDB-2008-001182 // BID: 28299 // VULHUB: VHN-31522 // PACKETSTORM: 64674

AFFECTED PRODUCTS

vendor:checkpointmodel:vpn-1scope:eqversion:ngx_r60

Trust: 1.6

vendor:checkpointmodel:vpn-1 power utm with ngxscope:eqversion:r65

Trust: 1.6

vendor:checkpointmodel:check point vpn-1 proscope:eqversion:ngx_r62_ga

Trust: 1.6

vendor:checkpointmodel:vpn-1 firewall-1scope:eqversion:ng_ai_r55

Trust: 1.6

vendor:checkpointmodel:vpn-1 power utmscope:eqversion:ngx_r65_with_messaging_security

Trust: 1.6

vendor:checkpointmodel:check point vpn-1 proscope:eqversion:ngx_r61

Trust: 1.6

vendor:check pointmodel: - scope: - version: -

Trust: 0.8

vendor:check pointmodel:vpn-1 power/utmscope:eqversion:ng ai r55

Trust: 0.8

vendor:check pointmodel:vpn-1 power/utmscope:eqversion:ngx r60

Trust: 0.8

vendor:check pointmodel:vpn-1 power/utmscope:eqversion:ngx r61

Trust: 0.8

vendor:check pointmodel:vpn-1 power/utmscope:eqversion:ngx r62

Trust: 0.8

vendor:checkmodel:point software vpn-1 power/utm ngx r65scope: - version: -

Trust: 0.3

vendor:checkmodel:point software vpn-1 power/utm ngx r62scope: - version: -

Trust: 0.3

vendor:checkmodel:point software vpn-1 power/utm ngx r61scope: - version: -

Trust: 0.3

vendor:checkmodel:point software vpn-1 power/utm ngx r60scope: - version: -

Trust: 0.3

sources: CERT/CC: VU#992585 // BID: 28299 // JVNDB: JVNDB-2008-001182 // CNNVD: CNNVD-200803-328 // NVD: CVE-2008-1397

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-1397
value: MEDIUM

Trust: 1.0

CARNEGIE MELLON: VU#992585
value: 2.36

Trust: 0.8

NVD: CVE-2008-1397
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200803-328
value: MEDIUM

Trust: 0.6

VULHUB: VHN-31522
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2008-1397
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-31522
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#992585 // VULHUB: VHN-31522 // JVNDB: JVNDB-2008-001182 // CNNVD: CNNVD-200803-328 // NVD: CVE-2008-1397

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-31522 // JVNDB: JVNDB-2008-001182 // NVD: CVE-2008-1397

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200803-328

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-200803-328

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2008-001182

PATCH
title:sk34579url:https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk34579
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2008-001182

EXTERNAL IDS
db:CERT/CCid:VU#992585
Trust: 3.6
db:NVDid:CVE-2008-1397
Trust: 2.8
db:BIDid:28299
Trust: 2.8
db:SECUNIAid:29394
Trust: 2.6
db:SECTRACKid:1019666
Trust: 2.5
db:VUPENid:ADV-2008-0953
Trust: 1.7
db:XFid:41260
Trust: 1.4
db:JVNDBid:JVNDB-2008-001182
Trust: 0.8
db:CNNVDid:CNNVD-200803-328
Trust: 0.7
db:XFid:1
Trust: 0.6
db:VULHUBid:VHN-31522
Trust: 0.1
db:PACKETSTORMid:64674
Trust: 0.1
sources:
            
            
            CERT/CC: VU#992585 // 
            
            
            
            VULHUB: VHN-31522 // 
            
            
            
            BID: 28299 // 
            
            
            
            JVNDB: JVNDB-2008-001182 // 
            
            
            
            PACKETSTORM: 64674 // 
            
            
            
            CNNVD: CNNVD-200803-328 // 
            
            
            
            NVD: CVE-2008-1397

REFERENCES
url:http://www.puresecurity.com.au/files/puresecurity%20vpn-1%20dos_spoofing%20attack%20against%20vpn%20tunnels.pdf
Trust: 2.8
url:http://www.kb.cert.org/vuls/id/992585
Trust: 2.8
url:http://www.securityfocus.com/bid/28299
Trust: 2.5
url:http://www.securitytracker.com/id?1019666
Trust: 2.5
url:https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk34579
Trust: 1.7
url:http://secunia.com/advisories/29394
Trust: 1.7
url:http://puresecurity.com.au/index.php?action=fullnews&id=5
Trust: 1.7
url:http://xforce.iss.net/xforce/xfdb/41260
Trust: 1.4
url:http://www.vupen.com/english/advisories/2008/0953/references
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/41260
Trust: 1.1
url:http://secunia.com/advisories/29394/
Trust: 0.9
url:https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=&solutionid=sk34579&js_peid=p-114a7ba5fd7-10001&partition=null&product=vpn-1
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1397
Trust: 0.8
url:http://www.frsirt.com/english/advisories/2008/0953
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2008-1397
Trust: 0.8
url:http://www.frsirt.com/english/advisories/2008/0953/references
Trust: 0.6
url:http://www.checkpoint.com
Trust: 0.3
url:http://dl3.checkpoint.com/paid/de/vpn-1_ngx_r65_hfa02_supplement3.pdf?hashkey=1205867583_0be4e5232cabd4c602a2607e2ccc5079&xtn=.pdf
Trust: 0.3
url:http://puresecurity.com.au/index.php?action=fullnews&id=5
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
url:https://psi.secunia.com/?page=changelog
Trust: 0.1
url:https://psi.secunia.com/
Trust: 0.1
url:http://secunia.com/product/13346/
Trust: 0.1
url:http://secunia.com/product/2542/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:https://secureknowledge.checkpoint.com/secureknowledge/login.do?originalaction=solution&id=sk34579
Trust: 0.1
url:http://updates.checkpoint.com/fileserver/id/8141/file/vpn-1_ngx_r65_hfa02_supplement3.pdf
Trust: 0.1
url:http://secunia.com/product/13348/
Trust: 0.1
sources:
            
            
            CERT/CC: VU#992585 // 
            
            
            
            VULHUB: VHN-31522 // 
            
            
            
            BID: 28299 // 
            
            
            
            JVNDB: JVNDB-2008-001182 // 
            
            
            
            PACKETSTORM: 64674 // 
            
            
            
            CNNVD: CNNVD-200803-328 // 
            
            
            
            NVD: CVE-2008-1397

CREDITS
Robert Mitchell
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200803-328

SOURCES
db:CERT/CCid:VU#992585
db:VULHUBid:VHN-31522
db:BIDid:28299
db:JVNDBid:JVNDB-2008-001182
db:PACKETSTORMid:64674
db:CNNVDid:CNNVD-200803-328
db:NVDid:CVE-2008-1397

LAST UPDATE DATE
2024-11-23T20:39:29.973000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#992585date:2008-03-18T00:00:00
db:VULHUBid:VHN-31522date:2017-08-08T00:00:00
db:BIDid:28299date:2015-05-07T17:32:00
db:JVNDBid:JVNDB-2008-001182date:2008-04-03T00:00:00
db:CNNVDid:CNNVD-200803-328date:2008-09-05T00:00:00
db:NVDid:CVE-2008-1397date:2024-11-21T00:44:26.923

SOURCES RELEASE DATE
db:CERT/CCid:VU#992585date:2008-03-18T00:00:00
db:VULHUBid:VHN-31522date:2008-03-20T00:00:00
db:BIDid:28299date:2008-03-18T00:00:00
db:JVNDBid:JVNDB-2008-001182date:2008-04-03T00:00:00
db:PACKETSTORMid:64674date:2008-03-19T00:35:21
db:CNNVDid:CNNVD-200803-328date:2008-03-19T00:00:00
db:NVDid:CVE-2008-1397date:2008-03-20T00:44:00