| VID |
12052 |
| Severity |
40 |
| Port |
|
| Protocol |
ICMP |
| Class |
Protocol |
| Detailed Description |
The machine appears to be crashed by the flooding attack using incorrectly fragmented packets. This is known as the 'jolt2' denial of service attack. Especially, Check Point FireWall-1 versions 1.4.0 and 1.4.1 are vulnerable to a packet fragmentation denial of service. By sending illegally fragmented packets directly to or routed through Check Point FireWall-1, it is possible to force the firewall to use 100% of available processor time logging these packets. The FireWall-1 rulebase cannot prevent this attack and it is not logged in the firewall logs.
* Note: This check can also affect routers on the network path to target machine.
* References:
http://www.checkpoint.com/techsupport/alerts/list_vun.html#IP_Fragmentation
http://archives.neohapsis.com/archives/bugtraq/2000-05/0473.html
http://www.kb.cert.org/vuls/id/35958
http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html
* Platforms Affected:
Check Point Firewalls Any version |
| Recommendation |
For Check Point Firewall and VPN:
Apply the latest Service Pack or Hotfix for this vulnerability, as listed in the Check Point Technical Support Alert at http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html
As a workaround, disable the console logging by typing the following command at the FireWall-1 module(s):
$FWDIR/bin/fw ctl debug -buf
This command can be added to the $FWDIR/bin/fw/fwstart command in order to be enabled when the firewall software is restarted. |
| Related URL |
CVE-2000-0482 (CVE) |
| Related URL |
1312 (SecurityFocus) |
| Related URL |
4609 (ISS) |
|
