Security Advisory: Symlink Following and Second-Order Symlink Vulnerabilities in Multiple Check Point Security Management Products

Product: Check Point Security Management:

• Multi-Domain Security Management / Provider-1
• SmartCenter

Vulnerable version: multiple products, see sections below
Fixed version: multiple products, see sections below
CVE number: CVE-2011-2664
Impact: high
Homepage: http://www.checkpoint.com
Found: 2010-08-13
By: Matthew Flanagan http://wadofstuff.blogspot.com

Vendor Product Description

Security Management

Security Management and Multi-Domain Security Management (Provider-1) delivers more security and control by segmenting your security management into multiple virtual domains. Businesses of all sizes can easily create virtual domains based on geography, business unit or security function to strengthen security and simplify management.

UTM-1 Edge

Check Point UTM-1 Edge appliances deliver proven, best-in-class security right out of the box! These simple, all-in-one appliances allow branch offices to deploy comprehensive security quickly and easily. These appliances offer robust performance, powerful central management and advanced wireless options.

Vulnerability Description

A post-installation shell script is executed both in the provisioning of a Security Management Domain and installation of a standalone SmartCenter. The script is used to generate a configuration file for use by the SofaWare Management Server (SMS). The SMS is used to send all configuration changes performed in the SmartCenter/Management Domain to UTM-1 Edge devices. UTM-1 Edge devices also communicate their status to the SmartCenter/Management Domain via SMS.

Due to the combination of inadequate file checks, predictable file names and writing of temporary configuration files to /tmp it is possible for a unprivileged local user to exploit the post-installation script to overwrite arbitrary files on the security management system through symlink following.

The script also contains a second-order symlink vulnerability which makes it possible for an attacker to gain control of the SMS configuration file: $FWDIR/conf/sofaware/SWManagementServer.ini. The SWManagementServer.ini file contains sensitive information and configuration parameters for the management of UTM-1 Edge firewall appliances such as firmware versions, mail proxies, logging levels, and many timeout and polling intervals for various software components running on the Edge devices.

The likelhood of exploiting this vulnerability on a server running SmartCenter is low due to it only being exploitable during the installation of the software. However, for Management Domains running on a Multi-Domain Management / Provider-1 server the likelihood is much higher as the vulnerability can be exploited every time a new Management Domain is created.

Exploit

An exploit will not be published.

Vulnerable Versions

R65.70
R70.40
R71.30
R75.10

On Linux, SecurePlatform and Solaris.

Solution

Fixed in R71.40 and R75.20. Other versions can get fix from Check Point
advisory page.

Advisories

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk63565

Vendor Contact Timeline

2010-08-16: Contacted Check Point security team security-alert () checkpoint.com.
2010-08-16: Vendor responded.
2010-08-16: Provided vulnerability details and exploit to vendor.
2010-08-18: Vendor confirmation of vulnerability.
2010-08-26: Requested a status update from the vendor.
2010-08-28: Vendor: working on a fix and release plan.
2011-05-31: Requested a status update from the vendor.
2011-06-01: Vendor: Fixed in R75. Advisory to be released on 2011-06-15.
2011-06-06: Advised vendor that R75 GA and R75.10 are still vulnerable.
2011-06-06: Applied for CVE number from MITRE.
2011-06-07 - 2011-06-14: Coordinated fix and advisory release with Check Point.
2011-06-14: Sent more details to MITRE.
2011-06-15: Vendor publishes advisory and fix.
2011-06-16: Contacted AusCERT.
2011-07-06: Asked MITRE for status of CVE number allocation.
2011-07-07: Assigned CVE number by MITRE.
2011-08-16: Released advisory.

SST/JASS 4.2.2 is out

Jason Callaway has posted a new version of SST (aka JASS). The new release of version 4.2.2 addresses a change in passwd behaviour in relation to locking NP accounts.

Download the new version.

Django gets support for IPv6 fields

My favorite web development framework recently committed some code to add support for IPv6 addresses in data models. The commit closes a ticket I opened 6 years ago. Congratulations to Erik Romijn for finally closing this off. Better late than never :)

The new code differs from my original code in a number of ways. First of all it has better testing and documentation. Second, it does IPv6 address validation programmatically rather than using a regular expression.

The code also borrows from ipaddr-py, which I also contribute to.

A variation on my original code is still running and has been used to manage IPv6 addresses so I can vouch for it. Most of my code doesn't actually use IPAddressFields in Django because of this even older issue which was fixed 3 years ago.

Now both of them are fixed I might look at using the new fields.

Service Tags Nmap Script Accepted

The Nmap NSE script to probe for Sun Service Tags that I wrote last December has been committed to the Nmap trunk. Many thanks to David Fifield for his advice, testing and elegant refactoring of my newbie LUA code to make it more robust.

I expect the code will live on in the Nmap subversion repository rather than my own from now on. If you'd like to use the script you can get it from here or wait until the next release of Nmap to come out.

Sun Service Tags Nmap Discovery Script

Oracle/Sun has had a software agent available for a few years now that runs on numerous operating systems (Solaris 8,9,10, RHEL, OEL, SuSE, and Windows) which enables automatic discovery of assets including software and hardware. The agent is called Sun Service Tags and it provides a way to query a system over a LAN and find out about the hardware, OS, and some of the software installed on it (I say some because the software developer has to register their application at install time with Service Tags and not many outside of Oracle/Sun seem to).

I was inspired last week by a colleague who was looking at installing a Cisco Discovery Protocol (CDP) agent on his Solaris systems so he could easily get an inventory of his network via his routers and switches with the show cdp neighbor command. I pointed out to him that his Solaris systems very likely had Service Tags already installed on them and he could just query that.

To prove the point a set out to write an Nmap script that could scan a host or network and display all the Service Tags information it could find for each host. The nmap script can be downloaded here and needs to be installed in /usr/local/share/nmap/scripts (or where ever your nmap stores them).

You can see some sample usage output below:

# nmap -sU --script=servicetags -p 6481 1.1.1.1

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-12-14 15:57 EST
Nmap scan report for host.example.com (1.1.1.1)
Host is up (0.00045s latency).
PORT     STATE SERVICE
6481/udp open  unknown
| servicetags:
|   URN: urn:st:3bf76681-5e68-415b-f980-db3d77fda252
|   System: SunOS
|   Release: 5.10
|   Hostname: host
|   Architecture: sparc
|   Platform: SUNW,SPARC-Enterprise-T5120::Generic_142900-13
|   Manufacturer: Sun Microsystems, Inc.
|   CPU Manufacturer: Sun Microsystems, Inc.
|   Serial Number: ABC123456
|   HostID: 12345678
|   RAM: 16256
|   CPUs: 1
|   Cores: 4
|   Virtual CPUs: 32
|   CPU Name: UltraSPARC-T2
|   CPU Clock Rate: 1165
|   Service Tags
|     Solaris 10 Operating System
|       Product Name: Solaris 10 Operating System
|       Instance URN: urn:st:90592a79-974d-ebcc-c17a-b87b8eee5f1f
|       Product Version: 10
|       Product URN: urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113
|       Product Parent URN: urn:uuid:596ffcfa-63d5-11d7-9886-ac816a682f92
|       Product Parent: Solaris Operating System
|       Product Defined Instance ID:
|       Timestamp: 2010-08-10 07:35:40 GMT
|       Container: global
|       Source: SUNWstosreg
|     SUNW,SPARC-Enterprise-T5120 SPARC System
|       Product Name: SUNW,SPARC-Enterprise-T5120 SPARC System
|       Instance URN: urn:st:51c61acd-9f37-65af-a667-c9925a5b0ee9
|       Product Version:
|       Product URN: urn:st:hwreg:SUNW,SPARC-Enterprise-T5120:Sun Microsystems:sparc
|       Product Parent URN: urn:st:hwreg:System:Sun Microsystems
|       Product Parent: System
|       Product Defined Instance ID:
|       Timestamp: 2010-08-10 07:35:41 GMT
|       Container: global
|       Source: SUNWsthwreg
|     Explorer
|       Product Name: Explorer
|       Instance URN: urn:st:2dc5ab61-9bb5-409b-e910-fa39840d0d85
|       Product Version: 6.4
|       Product URN: urn:uuid:9cb70a38-7d15-11de-9d26-080020a9ed93
|       Product Parent URN:
|       Product Parent:
|       Product Defined Instance ID:
|       Timestamp: 2010-08-10 07:35:42 GMT
|       Container: global
|_      Source: Explorer

Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

As you can see it reveals quite a bit of information about the system including the hostname, OS version and kernel patch revision, serial number, host id, RAM, number of CPUs and core, etc etc. Very useful for system administrators and hackers alike!

This was my first foray into writing in the Lua scripting language so I have probably made some mistakes and would appreciate some feedback if you find any bugs or have any suggestions.