28 Jul 2004

An ASN.1 issue has been discovered affecting Check Point VPN-1 products during negotiations of a VPN tunnel which may cause a buffer overrun, potentially compromising the gateway. In certain circumstances, this compromise could allow further network compromise.

Check Point Software customers who do not use Remote Access VPNs or gateway-to-gateway VPNs, or who have upgraded to current product versions (VPN-1/FireWall-1 R55 HFA-08, R54 HFA-412, and VPN-1 SecuRemote/SecureClient R56 HF1) are NOT affected by this issue.

A single packet attack is only possible if Aggressive Mode IKE is implemented. Check Point strongly discourages the use of Aggressive Mode IKE because it has inherent security limitations.

When using IKE without enabling Aggressive Mode, the single packet attack is not possible, as the attacker must initiate a real IKE negotiation in order to perform the attack. The malformed IKE packet of this attack vector must be encrypted, which prevents detection of it using a signature.

At the time of this alert, Check Point is not aware of any organizations that have been affected by this issue. However, in order to protect VPN-1 Gateways, Check Point recommends that customers install an update on all enforcement modules.

The most recent Hotfix Accumulators (HFAs) and ASN.1 Hotfixes address this issue. Software Subscription customers can download updates for affected products using the links listed below.

VPN-1/FireWall-1 NG with Application Intelligence R55W
ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows

VPN-1/FireWall-1 NG with Application Intelligence R55 ASN.1 HF
IPSO 3.8 | Linux 3.0 (RHEL 3.0)

VPN-1/FireWall-1 NG with Application Intelligence R55 HFA-08
IPSO | Linux | SecurePlatform | Solaris | Windows

VPN-1/FireWall-1 NG with Application Intelligence R54 HFA-412
IPSO | Linux | SecurePlatform | Solaris | Windows

VPN-1/FireWall-1 Next Generation FP3 ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows

VPN-1 SecuRemote/SecureClient NG with Application Intelligence
R56 HF-01 | R55 HFA-03

Provider-1 NG with Application Intelligence R55 HFA-08
Linux | SecurePlatform | Solaris

Provider-1 NG with Application Intelligence R54 HFA-412
Solaris

FireWall-1 GX 2.5 ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows

FireWall-1 GX 2.0 ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows

SSL Network Extender
Linux | SecurePlatform | Solaris | Windows

VPN-1/FireWall-1 VSX NG with Application Intelligence
Release 2 ASN.1 Hotfix
IPSO

VPN-1/FireWall-1 VSX NG with Application Intelligence ASN.1 Hotfix
SecurePlatform

VPN-1/FireWall-1 VSX 2.0.1 ASN.1 Hotfix
Linux | SecurePlatform

Customers without a valid Software Subscription contract should contact Check Point Technical Support for assistance.