CheckPoint driven through by gung-ho security flaw

Bug in VPN products could allow remote attacker to invade network

CheckPoint Software Technologies Ltd. has issued fixes for a critical flaw in its popular virtual private networking (VPN) products that could allow a remote attacker to invade a network.

A bug in the way CheckPoint products handle the initial exchange between client and server could allow the execution of arbitrary code, according to Internet Security Systems (ISS), a CheckPoint competitor, which discovered the flaw. CheckPoint's VPN-1 products are likely to be vulnerable in their default configurations, ISS said.

CheckPoint has published an advisory listing affected products and instructions on patching.

The company is not unfamiliar with these sorts of flaws, with similar bugs discovered in February and May.

This flaw is in the ASN.1 decoding library in CheckPoint's VPN-1 product, ISS said in its advisory. When setting up a VPN connection through Internet Key Exchange (IKE) using the Internet Security Association and Key Management Protocol (ISAKMP), the VPN server must decode certain ASN.1-encoded packets. During this decoding, an attacker can completely compromise the server by triggering a heap overflow, ISS said.

If a feature called Aggressive Mode Internet Key Exchange (IKE) is switched on, the bug could be exploited via an instant, "single-packet" attack. Otherwise, the attacker must initiate a real IKE negotiation, CheckPoint said. The company noted that the communications to the VPN server must be encrypted, preventing detection of the attack via a signature in a security scanner.

The bug only affects customers using Remote Access VPNs or gateway-to-gateway VPNs, and doesn't affect the most recent versions of VPN-1 products. ISS' Mark Dowd and Neel Mehta discovered the bug, ISS said.

In February, ISS warned of two vulnerabilities in VPN-1 and Firewall-1 products, one involving the HTTP Security Server application proxy in Firewall-1, and a second within the ISAKMP processing in VPN-1 Server, SecuRemote and SecureClient. In May CheckPoint discovered another ISAKMP bug in VPN-1.

Other companies have had a similarly hard time keeping the lid on security problems within products that are supposed to ensure security. In January, Symantec Corp. patched a bug in the LiveUpdate component of its anti-virus software that could have allowed someone with network access to bypass security into privileged areas. In February, Sophos PLC admitted its anti-virus software could be bypassed or exploited in a denial-of-service attack. In April, Cisco Systems Inc. disclosed a number of bugs in its products, including its VPN hardware and software.

This story, "CheckPoint driven through by gung-ho security flaw" was originally published by