| VID |
29011 |
| Severity |
20 |
| Port |
264 |
| Protocol |
TCP |
| Class |
Firewall |
| Detailed Description |
The host seems to be a Checkpoint FW-1 running SecureRemote.
Checkpoint Firewall-1 makes use of a piece of software called SecuRemote (a.k.a. SecureRemote) to create encrypted sessions between users and FW-1 modules. SecureRemote is the proprietary VPN infrastructure designed by Check Point Software, and included with some versions of Firewall-1.
A problem with the package allows remote users to gain information about internal networks. Older versions of the package send network topology information to SecureRemote connections prior to authentication, allowing an information gathering attack. This gives a potential attacker a wealth of information including IP addresses, network masks, and even friendly descriptions.
* References:
http://www.securiteam.com/securitynews/5HP0D2A4UC.html
http://www.securityfocus.com/bid/3058 |
| Recommendation |
Either block the SecuRemote's (TCP 256 and 264) ports to untrusted networks, or upgrade to the latest version of Checkpoint's Firewall-1.
As a workaround, you could restrict the topology download, so that only authenticated users can download it. Just go to Policy Properties Desktop Security of your Policy Editor and uncheck "respond to unauthenticated topology requests". After installing the Policy only authenticated Users could download the Topology. The only reason you have to check this is when your clients wants to use FWZ encryption. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
