Major security flaw discovered in Checkpoint Firewall

February 6, 2004

The discovery of a major flaw in the popular Checkpoint firewall should serve as a reminder that firewalls often offered insufficient protection.

Flaws found in Check Point Software's popular firewall and VPN software could let an attacker gain entrance to company networks, crash computers, and otherwise wreck havoc, Internet Security Systems says in a critical alert.

Global security provider Internet Security Systems (ISS) said around half the United States government departments, financial institutions and other big organizations were shoring up their defenses against hackers after the discovery of two major areas of vulnerability in Checkpoint.

The disclosure of the vulnerabilities late Wednesday is yet another sign of a move by hackers to hammer at security software, firewalls, and intrusion-detection systems, all that companies rely on to defend themselves against intruders, says Dan Ingevaldson, the director of ISS's X-Force research team.

"Attackers now have only a few choices when they target hardened systems," says Ingevaldson. "Firewalls and other security software have done a pretty good job of blocking attacks, but the end result is that hackers are focusing their efforts on security systems themselves."

The first vulnerability found by ISS is within Check Point Firewall-1, and stems from the HTTP Application Intelligence that's designed to prevent potential attacks or detect protocol anomalies aimed at servers behind the firewall. The flaw also exists in the HTTP Security Server applications proxy that ships with all versions of Firewall-1.

Attackers could exploit this vulnerability to completely compromise networks protected by Check Point's firewall, allowing them to tamper with the firewall settings and get access to the network and its resources.

"This is not a theoretical exploit," says Ingevaldson, "my team has developed a working exploit. The only glimmer of hope is that the exploit isn't easy to create, even by experienced attackers." He also notes that all it takes is one who can, and then it's out there on the Internet.

Check Point has posted a patch for this vulnerability that it recommended be installed immediately by all users of VPN-1/Firewall-1 NG and above. The patch is easy to deploy, says Ingevaldson.

The second ISS-discovered vulnerability lies within Check Point VPN-1 Server and its VPN clients, Securemote and SecureClient. The vulnerability exists in the ISAKMP processing in both the server and clients, and if exploited, could result in an attacker gaining access to any client-enabled remote computer.

An exploit for this security hole is "trivial to write," says Ingevaldson, "and we think that one is being worked on right now. I wouldn't be surprised if it releases fairly soon."

Check Point won't patch this second vulnerability, since it no longer supports the software. Instead, the company, which has been migrating users of that software to its Firewall-1 NG line, recommends that customers upgrade. Compounding the problem is Check Point's dominant share of the enterprise firewall and VPN markets. Research firm IDC pegs Check Point's worldwide share at 54% of the firewall and VPN market, while Ingevaldson estimates that number may actually be as high as 70%.

Recently CheckPoint has acquired ZoneAlarm, personal firewall software vendor.