You'd really need to put a packet filter behind your firewall;
I've done it all the time and I'm not particularly worried about
the RDP bug/feature/hole. The packet filter acts as a failsafe
for your firewall.
You can use a router or, in my case, a Linux IPChains box.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Joel
> Turoff
> Sent: Tuesday, July 10, 2001 8:46 PM
> To: '[EMAIL PROTECTED]'
> Subject: [FW1] CERT Advisory and SecuRemote
>
>
>
> Hey folks:
>
> According to the recent security advisory, if you have the default "Accept
> Firewall-1" implied rule checked, someone can bypass the firewall with
> faked RDP packets.
>
> My question is this. If you don't have the implied rule, and you're using
> SecuRemote with IKE encryption, you need a rule in your rulebase that
> accepts RDP/UPD packets destined for the firewall itself from *any* source
> This is necessary for the IKE handshake that starts the encryption process
> in a SecuRemote session, and the source IP address has to be "any" because
> you never know where your VPN clients are coming from. So are we still
> susceptible to faked RDP packets as described in the security alert if we
> run a firewall with this rule?
>
> Joel
>
>
>
>
>
> At 07:34 PM 7/9/01 -0500, Oscar Aviles wrote:
> >
> >
> >
> > Look that friends....
> >
> >
> >
> >
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >
> >CERT Advisory CA-2001-17 Check Point RDP Bypass Vulnerability
> >
> > Original release date: July 09, 2001
> > Last revised: --
> > Source: CERT/CC
> >
> > A complete revision history is at the end of this file.
> >
> >Systems Affected
> >
> > * Check Point VPN-1 and FireWall-1 Version 4.1
> >
> >Overview
> >
> > A vulnerability in Check Point FireWall-1 and VPN-1 may allow an
> > intruder to pass traffic through the firewall on port 259/UDP.
> >
> >I. Description
> >
> > Inside Security GmbH has discovered a vulnerability in Check Point
> > FireWall-1 and VPN-1 that allows an intruder to bypass the firewall.
> > The default FireWall-1 management rules allow arbitrary RDP (Reliable
> > Data Protocol) connections to traverse the firewall. RFC-908 and
> > RFC-1151 describe the Reliable Data Protocol (RDP). Quoting from
> > RFC-908:
> >
> > The Reliable Data Protocol (RDP) is designed to provide a reliable
> > data transport service for packet-based applications such as remote
> > loading and debugging.
> >
> > RDP was designed to have much of the same functionality as TCP, but it
> > has some advantages over TCP in certain situations. FireWall-1 and
> > VPN-1 include support for RDP, but they do not provide adequate
> > security controls. Quoting from the advisory provided by Inside
> > Security GmbH:
> >
> > By adding a faked RDP header to normal UDP traffic any content can
> > be passed to port 259 on any remote host on either side of the
> > firewall.
> >
> > For more information, see the Inside Security GmbH security advisory,
> > available at
> >
> > http://www.inside-security.de/advisories/fw1_rdp.html
> >
> > Although the CERT/CC has not seen any incident activity related to
> > this vulnerability, we do recommend that all affected sites upgrade
> > their Check Point software as soon as possible.
> >
> >II. Impact
> >
> > An intruder can pass UDP traffic with arbitrary content through the
> > firewall on port 259 in violation of implied security policies.
> >
> > If an intruder can gain control of a host inside the firewall, he may
> > be able to use this vulnerability to tunnel arbitrary traffic across
> > the firewall boundary.
> >
> > Additionally, even if an intruder does not have control of a host
> > inside the firewall, he may be able to use this vulnerability as a
> > means of exploiting another vulnerability in software listening
> > passively on the internal network.
> >
> > Finally, an intruder may be able to use this vulnerability to launch
> > certain kinds of denial-of-service attacks.
> >
> >III. Solutions
> >
> > Install a patch from Check Point Software Technologies. More
> > information is available in Appendix A.
> >
> > Until a patch can be applied, you may be able to reduce your exposure
> > to this vulnerability by configuring your router to block access to
> > 259/UDP at your network perimeter.
> >
> >Appendix A
> >
> >Check Point
> >
> > Check Point has issued an alert for this vulnerability at
> >
> > http://www.checkpoint.com/techsupport/alerts/
> >
> > Download the patch from Check Point's web site:
> >
> > http://www.checkpoint.com/techsupport/downloads.html
> >
> >Appendix B. - References
> >
> > 1. http://www.inside-security.de/advisories/fw1_rdp.html
> > 2. http://www.kb.cert.org/vuls/id/310295
> > 3. http://www.ietf.org/rfc/rfc908.txt
> > 4. http://www.ietf.org/rfc/rfc1151.txt
> > _________________________________________________________________
> >
> > Our thanks to Inside Security GmbH for the information contained in
> > their advisory.
> > _________________________________________________________________
> >
> > This document was written by Ian A. Finlay. If you have feedback
> > concerning this document, please send email to:
> >
> > mailto:[EMAIL PROTECTED]?Subject=Feedback CA-2001-17 [VU#310295]
> >
> > Copyright 2001 Carnegie Mellon University.
> >
> > Revision History
> >July 09, 2001: Initial Release
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: PGPfreeware 5.0i for non-commercial use
> >Charset: noconv
> >
> >iQCVAwUBO0njBQYcfu8gsZJZAQHOCAP+L8JEWTsWqvWjZQaVpHPb6GHn7D837lzc
> >rE/ef50+6xSzRZyBPXQ8+3N6JqYk8PBufYCcqtiqL1PfNJw3YfrGJ5irzS4ENXTg
> >mupUNTfdG0UhEAOWJbsjykfB0K/PPaeFrtf1jod1zd9uKPIFytHLAzMHWzUwTTtW
> >4qSlIxoiHEQ=
> >=v8vs
> >-----END PGP SIGNATURE-----
> >
> >
> >
> >
> >
> >=================================================================
> ==========
> =====
> > To unsubscribe from this mailing list, please see the
> instructions at
> > http://www.checkpoint.com/services/mailing.html
> >=================================================================
> ==========
> =====
> >
> >
> >
>
>
> ==================================================================
> ==============
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==================================================================
> ==============
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
