CheckPoints warns of critical flaw in VPN products

CheckPoint Software Technologies has issued fixes for a critical flaw in its popular virtual private networking (VPN) products...

CheckPoint Software Technologies has issued fixes for a critical flaw in its popular virtual private networking (VPN) products that could allow a remote attacker to invade a network.

A bug in the way CheckPoint products handle the initial exchange between client and server could allow the execution of arbitrary code, according to Internet Security Systems (ISS), a CheckPoint competitor, which discovered the flaw.

CheckPoint's VPN-1 products are likely to be vulnerable in their default configurations, ISS said.

CheckPoint has published an advisory listing affected products and instructions on patching.

The company is not unfamiliar with these sorts of flaws, with similar bugs discovered in February and May.

This flaw is in the ASN.1 decoding library in CheckPoint's VPN-1 product, ISS said in its advisory.

When setting up a VPN connection through Internet Key Exchange (IKE) using the Internet Security Association and Key Management Protocol (ISAKMP), the VPN server must decode certain ASN.1-encoded packets. During this decoding, an attacker can completely compromise the server by triggering a heap overflow, ISS said.

If a feature called Aggressive Mode Internet Key Exchange (IKE) is switched on, the bug could be exploited via an instant, "single-packet" attack. Otherwise, the attacker must initiate a real IKE negotiation. CheckPoint noted that the communications to the VPN server must be encrypted, preventing detection of the attack via a signature in a security scanner.

The bug only affects customers using Remote Access VPNs or gateway-to-gateway VPNs, and does not affect the most recent versions of VPN-1 products.

In February, ISS warned of two vulnerabilities in VPN-1 and Firewall-1 products, one involving the HTTP Security Server application proxy in Firewall-1, and a second within the ISAKMP processing in VPN-1 Server, SecuRemote and SecureClient. In May CheckPoint discovered another ISAKMP bug in VPN-1.

Other companies have had a similarly hard time keeping the lid on security problems within products that are supposed to ensure security.

In January, Symantec patched a bug in the LiveUpdate component of its anti-virus software that could have allowed someone with network access to bypass security into privileged areas.

In February, Sophos admitted its anti-virus software could be bypassed or exploited in a denial-of-service attack. In April, Cisco Systems disclosed a number of bugs in its products, including its VPN hardware and software.

Matthew Broersma writes for

Read more on IT risk management