Security Flaws Found In Check Point Firewall And VPNSecurity Flaws Found In Check Point Firewall And VPN

Flaws found in Check Point Software's popular firewall and VPN software could let an attacker gain entrance to company networks, crash computers, and otherwise wreck havoc, Internet Security Systems says in a critical alert.

The disclosure of the vulnerabilities late Wednesday is yet another sign of a move by hackers to hammer at security software, firewalls, and intrusion-detection systems, the very devices and applications that companies rely on to defend themselves against intruders, says Dan Ingevaldson, the director of ISS's X-Force research team.

"Attackers now have only a few choices when they target hardened systems," says Ingevaldson. "Firewalls and other security software have done a pretty good job of blocking attacks, but the end result is that hackers are focusing their efforts on security systems themselves."

The first vulnerability found by ISS is within Check Point Firewall-1, and stems from the HTTP Application Intelligence that's designed to prevent potential attacks or detect protocol anomalies aimed at servers behind the firewall. The flaw also exists in the HTTP Security Server applications proxy that ships with all version of Firewall-1, including the most recent.

Attackers could use this vulnerability to completely compromise even heavily hardened networks protected by Check Point's firewall, allowing them to tamper with the firewall settings to give them access to machines on the network.

"This is not a theoretical exploit," says Ingevaldson, who adds that his team has developed a working exploit. The only glimmer of hope, he says, is that the exploit isn't easy to create, even by experienced attackers. "But all it takes is one who can, and then it's out there on the Internet."

Check Point has posted a patch for this vulnerability that it recommended be installed immediately by all users of VPN-1/Firewall-1 NG and above. The patch is easy to deploy, says Ingevaldson.

The second ISS-discovered vulnerability lies within Check Point VPN-1 Server and its VPN clients, Securemote and SecureClient. The vulnerability exists in the ISAKMP processing in both the server and clients, and if exploited, could result in an attacker gaining access to any client-enabled remote computer, including those in employees' homes.

VPN servers and clients are used by businesses to offer secure remote access to off-site workers, telecommuters, customers, and partners.

An exploit for this security hole is "trivial to write," says Ingevaldson, "and we think that one is being worked on right now. I wouldn't be surprised if it releases fairly soon."

Check Point won't patch this vulnerability, since it no longer supports the software. Instead, the company, which has been migrating users of that software to its Firewall-1 NG line, recommends that customers upgrade. "But from our conversations with users," says Ingevaldson, "there are still quite a few who are using the older software."

Compounding the problem is Check Point's dominant share of the enterprise firewall and VPN markets. Research firm IDC pegs Check Point's worldwide share at 54% of the firewall and VPN market, while Ingevaldson estimates that number may actually be as high as 70%.

"These are critical vulnerabilities if they're exploited," Ingevaldson says. "Once the hacker controls the gatekeeper, the game's over."