Several buffer overflows in Checkpoint’s Firewall-1 [update]
Spanish security specialists Pentest have published a vulnerability analysis of Checkpoint’s Firewall-1 flagship product, in which they express doubts about the certification of the vendor’s Secure Platform R60 according to Common Criteria EAL4+. Their analysis has revealed several buffer overflows in command line utilities, which, in their opinion, should not have passed a reliable development cycle. While the experts were only able to exploit the vulnerabilities locally, they do not exclude the possibility of remote exploitation for the purpose of compromising systems.
According to Pentest, they have not even used fuzzing tools for their tests, but have simply used manipulated arguments to cause a buffer overflow in the programs; this does not comply with the vendor’s description of the relevant target of evaluation (TOE), i.e. the platform to be evaluated. According to the report, there is a requirement that the developer must have systematically searched for vulnerabilities in the TOE and must provide reasoning about why they cannot be exploited in the intended environment for the TOE.
Although the TOE is equipped with protective functions such as non-executable stacks and heaps, address space layout randomisation, ASCII armour and a special shell, the multitude of bugs makes it possible that this protection might be bypassed. The investigators informed Checkpoint of these holes some months ago, but have not been contacted by the vendor to engage in an exchange of information.
Checkpoint has confirmed (knowledge base for registered customers) the problem for all of the versions of its products based on SecuredPlatform but emphasises that the vulnerabilities can only be exploited under very special conditions. For instance, privileges can only be escalated if the attacker already is an administrator with access to the expert shell. In its security advisory for the flaws, the vendor says that an updated version of Tools SDSUtil will be made available to customers via Checkpoint's support. Furthermore, the firm says it is working on a more comprehensive remedy and hopes to have a fix for VPN-1 NGX by the end of the month.
- CheckPoint Secure Platform Multiple Buffer Overflows, posting by Hugo Vázquez Caramés
- Checkpoint Secure Platform Hack (PDF), analysis by Pentest