Checkpoint VPN-1 PAT信息泄露漏洞
发布日期:2009-01-06
更新日期:2009-01-07
受影响系统:Check Point Software VPN-1 R65
Check Point Software VPN-1 R55
描述:
CVE(CAN) ID:
CVE-2008-5849
CheckPoint防火墙/VPN解决方案可为组织提供网络架构和信息安全保护。
对于启用了端口地址翻译(PAT)的CheckPoint VPN-1防火墙,如果远程攻击者向防火墙的18264/tcp端口发送设置有很低TTL值的报文的话,就可以触发ICMP_TIMXCEED_INTRANS响应,而响应的封装IP报文中包含有内部IP地址,如下所示:
14:56:25.169480 IP (tos 0xe0, ttl 255, id 21407, offset 0, flags [none], proto: ICMP (1), length: 68) 193.0.0.1 > 194.0.0.1: ICMP time exceeded in-transit, length 48
IP (tos 0x0, ttl 1, id 5120, offset 0, flags [none], proto: TCP (6), length: 40) 194.0.0.1.9003 > 10.0.0.99.18264: S, cksum 0x03e6 (correct), 2834356043:2834356043(0) win 512
<*来源:Tim Brown (
securityfocus@machine.org.uk)
链接:
http://www.portcullis-security.com/293.php
https://supportcenter.checkpoint.com/supportcenter/portal/media-type/html/role/supportcenterUser/page/print.psml?action=portlets.SearchResultMainAction&eventSubmit_doPrintsolution=&solutionid=sk36321
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
https://svn.wald.intevation.org/svn/openvas/trunk/openvas-plugins/scripts/checkpoint-vpn1-pat-inform建议:
厂商补丁:
Check Point Software
--------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://downloads.checkpoint.com/dc/download.htm?ID=8606
http://downloads.checkpoint.com/dc/download.htm?ID=8607
http://downloads.checkpoint.com/dc/download.htm?ID=8608
http://downloads.checkpoint.com/dc/download.htm?ID=8609浏览次数:2944
严重程度:0(网友投票)
