[15782] in bugtraq
Re: CheckPoint FW1 BUG
daemon@ATHENA.MIT.EDU (NHC Research)
Fri Jul 14 14:30:16 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSO.4.21.0007131701130.25808-100000@pr0n.newhackcity.net>
Date: Thu, 13 Jul 2000 17:01:38 -0700
Reply-To: NHC Research <ipfreely@NEWHACKCITY.NET>
From: NHC Research <ipfreely@NEWHACKCITY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
While doing some testing on Firewall-1 4.0 NT SP4 a few months ago, we
came across a similar situation. We felt it was not worthy of an advisory
because it is effectively a misconfiguration issue, although it is the
default configuration upon initial install.
Scenario:
One firewall machine, 2 NICs (one for untrusted net, one for trusted net).
Configuration:
NT 4.0 SP6a
Firewall-1 NT 4.0 SP4
Steps 2 Repro:
1. Install FW-1, define one subnet for each physical NIC.
2. From either network, send a SYN packet to the IP of the firewall, port
1032. ('telnet firewallip 1032', or 'nmap -sS -p 1032 firewallip')
Result:
One of the running instances of the fw.exe service goes to 100%.
Why is this not a bug?
Because the first thing the "wizard" does for you is to block all
traffic directly to the firewall, this should not be an issue for most
people. This is a really good thing, because FW-1 listens on an obscene
number of ports in a default installation.
If anyone can retest against FW-1 4.1 SP1, I'd be interested to see if
this minor problem still exists. Does anyone have an official contact for
Checkpoint to report security related issues?
