The published issue occurs in the following configuration:
A manual NAT rule is used to configure port forwarding to an internal server with non-routable IP address.
Example of the Manual rule:
|
ORIGINAL PACKET |
TRANSLATED PACKET |
SOURCE |
External IP address |
External IP address |
DESTINATION |
Gateway external IP address |
Internal server IP address |
SERVICE |
HTTP |
HTTP |
An attacker may send a TCP SYN packet to the gateway external IP on port 80 with low TTL.
The gateway will send an ICMP Time Exceeded Message with the discarded packet in the payload. The payload contains internal IP address because it was not translated by the NAT mechanism.
This leads to disclosure of the internal server IP address.
This problem was fixed. The fix is included in:
- R70
- VPN-1 Power/UTM NGX R65 HFA 40
Check Point recommends to always upgrade to the most recent version
If you choose not to upgrade, Check Point Support offers a Hotfix to resolve this issue.
For VPN-1 Power/UTM NGX R65 upgrade to HFA 30 and install the following HotFix:
For all other versions Contact Check Point Support to get a Hotfix for this issue. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
If you choose not to install the above HotFix, the following workaround is available:
- In the SmartDashboard go to Policy -> Global Properties -> Stateful Inspection.
- Clear the "Errors" checkbox under the "Accept Stateful ICMP" section to block the ICMP errors.
- Install the Security Policy.
|
This solution is about products that are no longer supported and it will not be updated
|
Applies To:
- 00432493, 00433339, 00432639, 00432642, 00433090, 00433095, 00433096, 00433098