lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <36220782.1048708521@[10.3.62.6]>
From: pbieringer at aerasec.de (Dr. Peter Bieringer)
Subject: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack
 against syslog daemon possible

Hi again,

regarding to some statements and personal e-mails to me of
 a) which versions are affected
and
 )b we have no FP3, but a running "syslog" process
I've doublechecked this here in our lab and can confirm Check Point's 
advisory "Prior to the release of NG FP3 HF2" for some more cases:

Check Point FW-1 since NG FP3:
------------------------------
The syslog daemon is a dedicated binary "$FWDIR/bin/syslog"
Vulnerable for remote crash (FP3, FP3 HF1)
Vulnerable unfiltered escape sequences (FP3, FP3 HF1, FP3 HF2)


Check Point FW-1 NG up to FP2:
------------------------------
The syslog daemon is included in the "$FWDIR/bin/fw" binary by using 
"$FWDIR/lib/libfw1.so"
Vulnerable for remote crash (FP2)
Vulnerable unfiltered escape sequences (FP2)

Other NG versions below FP2 currently not tested by us, but regarding to 
Check Point's advisory they are also vulnerable.

Note: in the process table you will see also "syslog 514 all", a "ghost" 
program which didn't exist before FP3, but that's only the command line 
arguments. A dig into /proc/$pid-of/syslog shows, that "fw" is the real 
executed binary.


Check Point FW-1 4.1:
---------------------
The syslog daemon is included in the "$FWDIR/bin/fw" binary without using 
any other Check Point specific library.

We currently investigate also here the 2 issues.


Hope this helps.

We've also already updated our advisory:

http://www.aerasec.de/security/advisories/txt/
 checkpoint-fw1-ng-fp3-syslog-crash.txt
http://www.aerasec.de/security/advisories/
 checkpoint-fw1-ng-fp3-syslog-crash.html


Sorry for causing some confusions.

	Peter
-- 
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Stra?e 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@...asec.de
Germany                                Internet: http://www.aerasec.de


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ