Users of Check Point Software Technologies Ltd. firewalls need to upgrade them right away in order to shut down a vulnerability that can lead to the firewalls being taken over by attackers.
A second vulnerability to Check Point’s VPN-1 can leave it similarly vulnerable, according to Internet Security Systems Inc., which discovered the vulnerabilities and says it has actually exploited them in the ISS X-Force labs.
Because Check Point firewalls by some counts represent more than half of the firewalls in corporate networks, ISS regards the threat as critical and says it calls for immediate fixes.
Updates necessary to correct the firewall vulnerability are available. As of this morning, the company had not posted a fix for the vulnerability ISS says it found in Check Point’s VPN-1 server as well as VPN-1 client software. But ISS says the problem can be corrected by upgrading to Check Point VPN-1 Next Generation software with Service Pack 1 or newer.
The firewall vulnerability is to its application proxy for HTTP called HTTP Security Server. Check Point’s advisory says the vulnerability can cause the server to crash and allow further exploitation. The company says this can happen “in theory only,” but ISS says it has actually taken over such firewalls in its lab via the vulnerability. “It’s not theoretical,” says Dan Ingevaldson, director of X-Force research and development.
The first flaw that was found in Firewall-1 Version 4.1 and newer, can give the attacker super user or root access to the server, according to Ingevaldson.
In regards to the second vulnerability found in Check Point VPN-1 Server and two versions of the associated client software called SecureRemote and Secure Client, Ingevaldson says, “It can cause a complete compromise of the network and all information going in and out.”
The flaw in the client means remote PCs connecting to corporate networks could be commandeered by attackers seeing connections to vulnerable machines by randomly pinging.
Check Point’s VPN-1/Firewall-1 products are often packaged and deployed together, and exploiting either of the vulnerabilities can compromise the server running them, according to Ingevaldson.