Security Flaws Found In Check Point Firewall, VPN

Flaws found late Wednesday in Check Point Software's popular firewall and VPN software could allow an attacker to gain entrance to enterprise networks, crash computers, and otherwise wreck havoc, Internet Security Systems said in a critical alert.

The disclosure of the vulnerabilities is yet another sign of a move by hackers to hammer at security software, firewalls, and intrusion detection systems, the very devices and applications enterprises rely on to defend themselves against intruders, said Dan Ingevaldson, the director of ISS's X-Force research team.

"Attackers now have only a few choices when they target hardened systems," said Ingevaldson. "Firewalls and other security software have done a pretty good job of blocking attacks, but the end result is that hackers are focusing their efforts on security systems themselves."

The first vulnerability found by ISS is within Check Point Firewall-1, and stems from the HTTP Application Intelligence (AI) that's designed to prevent potential attacks or detect protocol anomalies aimed at servers behind the firewall. The flaw also exists in the HTTP Security Server applications proxy that ships with all version of Firewall-1, including the most recent.

Attackers could use this vulnerability to completely compromise even heavily hardened networks protected by Check Point's firewall, allowing them to tamper with the firewall settings to give them access to machines on the network."This is not a theoretical exploit," said Ingevaldson, who added that his team had developed a working exploit. The only glimmer of hope, he said, is that the exploit is not easy to create, even by experienced attackers. "But all it takes is one who can, and then it's out there on the Internet."

Wednesday, Check Point posted a patch for this vulnerability that it recommended be installed immediately by all users of VPN-1/Firewall-1 NG and above. The patch is easy to deploy, said Ingevaldson.

The second ISS-discovered vulnerability lies within Check Point VPN-1 Server and its virtual private networking (VPN) clients, Securemote and SecureClient. The vulnerability exists in the ISAKMP processing in both the server and clients, and if exploited, could result in an attacker gaining access to any client-enabled remote computer, including those in employees' homes.

VPN servers and clients are used by enterprises to offer secure remote access to off-site workers, telecommuters, customers, and partners.

An exploit for this security hole is "trivial to write," claimed Ingevaldson, "and we think that one is being worked on right now. I wouldn't be surprised if it releases fairly soon."Check Point will not patch this vulnerability, since the software is no longer supported. "It's been 24 months since we shipped 4.1 [the version with the vulnerability]," said Andy Singer, Check Point's manager of techical marketing. "Only a really small percentage of our users are still running it."

Rather than patching, Check Point recommends that customers upgrade to its VPN-1/Firewall-1 gateways.

Compounding the problem is Check Point's dominant share of the enterprise firewall and VPN markets. Research firm IDC, for instance, pegged Check Point's worldwide share at 54 percent of the firewall and VPN market, while Ingevaldson estimated that that number may actually be as high as 70 percent.

"These are critical vulnerabilities if they're exploited," Ingevaldson said. "Once the hacker controls the gatekeeper, the game's over."