Support Center > Search Results > SecureKnowledge Details
Check Point response to "VPN-1 PAT information disclosure" vulnerability (CVE-2008-5849) Technical Level
Symptoms
  • On November 14, 2008 Portcullis Computer Security published the "Checkpoint VPN-1 PAT information disclosure" advisory.
  • Check Point confirms this behavior. This is relevant for all port forwarding configurations.
    Refer to detailed description of the configuration below.
  • Severity of this vulnerability is Low.
Cause
The published issue occurs in the following configuration:

A manual NAT rule is used to configure port forwarding to an internal server with non-routable IP address.
Example of the Manual rule:

  ORIGINAL PACKET TRANSLATED PACKET
SOURCE External IP address External IP address
DESTINATION Gateway external IP address Internal server IP address
SERVICE HTTP HTTP


An attacker may send a TCP SYN packet to the gateway external IP on port 80 with low TTL.
The gateway will send an ICMP Time Exceeded Message with the discarded packet in the payload. The payload contains internal IP address because it was not translated by the NAT mechanism.

This leads to disclosure of the internal server IP address.
Solution

This problem was fixed. The fix is included in:

  • R70
  • VPN-1 Power/UTM NGX R65 HFA 40

Check Point recommends to always upgrade to the most recent version

If you choose not to upgrade, Check Point Support offers a Hotfix to resolve this issue.
For VPN-1 Power/UTM NGX R65 upgrade to HFA 30 and install the following HotFix:


For all other versions Contact Check Point Support to get a Hotfix for this issue. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.

If you choose not to install the above HotFix, the following workaround is available:

  1. In the SmartDashboard go to Policy -> Global Properties -> Stateful Inspection.
  2. Clear the "Errors" checkbox under the "Accept Stateful ICMP" section to block the ICMP errors.
  3. Install the Security Policy.
This solution is about products that are no longer supported and it will not be updated
Applies To:
  • 00432493, 00433339, 00432639, 00432642, 00433090, 00433095, 00433096, 00433098

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment