Skip navigation
Menu
Security

Firewall-1 Denial of Service

FireWall-1 Denial of Service
Reported June 6 by Lance Spritzer

VERSIONS EFFECTED
Firewall-1 v4.0 and v4.1

DESCRIPTION

A denial of service condition exists in versions 4.0 of FireWall-1 which is caused by fragmented IP packets. According to Checkpoint, if a person uses the "jolt2" program to send a stream of extremely large IP fragments to a FireWall-1 gateway, in some cases the action will cause the write mechanism to consume all CPU resources on the firewall system.

The discoverer"s full report is listed below. 

<DISCLAIMER>
It was never my intent to identify a DoS attack on FW-1. I was attempting to research and understand how FW-1 handles IP Fragmentation.  Everthing that follows is a result of that research. Full findings of my research can be found at
http://www.enteract.com/~lspitz/fwtable.html.
</DISCLAIMER>

On Saturday, May 27, I identified a major DoS attack for FW-1. CheckPoint was immediately notified.  Since then, they have
developed a short term solution and are currently working on a long term solution (see details below).

Symptopms
---------
CPU mysteriously hits 100% utilization, system locks up. Some systems may also crash, depending on OS type.

Installations Vulnerable
-------------------------
1.  I have reason to believe that every installation of FW-1 is vulnerable, regardless of Operating System type or version/patch
level of the FW-1 installation.  However, this has only been tested and confirmed with ver 4.1 SP1 on the Nokia, and ver 4.1 on NT and
Solarix x86 platform.

2.  There is NO way to protect against it \[ note:  see Checkpoint"s workaround below which stops this attack \] .  Your rulebase cannot stop this attack.  If your rulebase is denying everything, you are still vulnerable.

3.  FW-1 does NOT log these attacks in the firewall logs.  Not only will the firewall will be taken out, but it is difficult to determine why.  Illegally fragmented packets (such as those generated by jolt2) may be logged by Unix systems to /var/adm/messages.


Exploit
-------
Most frag based attacks that use incomplete or illegal fragments will work, including jolt2.  The firewall does not have to be attacked directly, if the frags are routed through the firewall for a system behind the firewall, FW-1 is still taken out.

Reason
------
FW-1 does not inspect, nor does it log, fragmented packets untill the packet has first been completely reassembled.  Since these exploit packets are never fully assembled, they are never inspected nor logged. Thus, the firewall"s own rulebase cannot be used to protect against the attack.
For more information on FW-1 IP Fragmentation reassembley, see http://www.enteract.com/~lspitz/fwtable.html

The actual CPU utilization is most likely the result of the application attempting to reassemble hundreds or thousands of incomplete and
illegally fragmented packets.  As stated above, the firewall rulebase cannot block these packets, as they are never inspected. Other firewalls may have the same problem and vulnerability.

Solutions
---------
1.  CheckPoint has developed a short term solution to the problem.  A
percentage of CPU utilization is due to console error messages on some Unix systems. By disabling FW-1 kernel logging, some CPU utilization will be saved.  However, all FW-1 kernel logging is disabled, you will have no capability for logging any firewall kernel events. At the command line on the Firewall, type as root:
                 fw ctl debug -buf

2.  Ensure the operating system has the latest patches.  Most operating system have recently released patches that help protect against fragment attacks.

3.  Run an IDS module (such as snort).  When you detect frag attacks block the Src at the router (remember, the firewall CANNOT stop the attack, its rulebase is powerless).  However, this method may not work with spoofed Src packets.

4. CheckPoint is developing a long term solution, which will be distributed as part of a later Service Pack.  However, this fix was not available for testing at the time of this post.

Thanks
------
I appreciate the help and involvement from the following people in helping with this issue.

Chris Brenton, Dartmouth"s Institute for Security Technology Studies
Dameon Welch-Abernathy, http://www.phoneboy.com/fw1

Joe DiPietro, CheckPoint
Robert Slayton, CheckPoint
Mark Elliott, CheckPoint

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html

VENDOR RESPONSE

Checkpoint"s Web page regarding this matter states that they are working on service packs for versions 4.0 and 4.1. It also states that "As an interim workaround, customers can disable the console logging, thereby mitigating this issue by using the following command line on their FireWall-1 module(s):

$FWDIR/bin/fw ctl debug -buf

This takes effect immediately. This command can be added to the $FWDIR/bin/fw/fwstart command in order to be enabled when the firewall software is restarted. It should be noted that although this command will disable fragmentation console output messages, standard log messages (e.g., Long, Short, control messages, etc.) will continue to operate in their traditional way."

CREDITS
Discovered and reported by Lance Spritzer
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024