[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <36220782.1048708521@[10.3.62.6]>
From: pbieringer at aerasec.de (Dr. Peter Bieringer)
Subject: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack
against syslog daemon possible
Hi again,
regarding to some statements and personal e-mails to me of
a) which versions are affected
and
)b we have no FP3, but a running "syslog" process
I've doublechecked this here in our lab and can confirm Check Point's
advisory "Prior to the release of NG FP3 HF2" for some more cases:
Check Point FW-1 since NG FP3:
------------------------------
The syslog daemon is a dedicated binary "$FWDIR/bin/syslog"
Vulnerable for remote crash (FP3, FP3 HF1)
Vulnerable unfiltered escape sequences (FP3, FP3 HF1, FP3 HF2)
Check Point FW-1 NG up to FP2:
------------------------------
The syslog daemon is included in the "$FWDIR/bin/fw" binary by using
"$FWDIR/lib/libfw1.so"
Vulnerable for remote crash (FP2)
Vulnerable unfiltered escape sequences (FP2)
Other NG versions below FP2 currently not tested by us, but regarding to
Check Point's advisory they are also vulnerable.
Note: in the process table you will see also "syslog 514 all", a "ghost"
program which didn't exist before FP3, but that's only the command line
arguments. A dig into /proc/$pid-of/syslog shows, that "fw" is the real
executed binary.
Check Point FW-1 4.1:
---------------------
The syslog daemon is included in the "$FWDIR/bin/fw" binary without using
any other Check Point specific library.
We currently investigate also here the 2 issues.
Hope this helps.
We've also already updated our advisory:
http://www.aerasec.de/security/advisories/txt/
checkpoint-fw1-ng-fp3-syslog-crash.txt
http://www.aerasec.de/security/advisories/
checkpoint-fw1-ng-fp3-syslog-crash.html
Sorry for causing some confusions.
Peter
--
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Stra?e 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn E-Mail: pbieringer@...asec.de
Germany Internet: http://www.aerasec.de
Powered by blists - more mailing lists