Check Point warns of firewall flaws

By Robert Lemos
Posted on ZDNet News: Feb 5, 2004 2:35:00 AM

Two flaws in Check Point Software's flagship firewall software could allow an attacker to crash or compromise its firewall products, the company said Wednesday.

The flaws--found by security firm Internet Security Systems (ISS)--may give intruders access to corporate networks through the devices designed to keep attackers out.

"Really controlling the firewall is controlling the gatekeeper for the network," said Dan Ingevaldson, director of vulnerability researcher and development for ISS. "If (an attacker) can control all the data going in and out--really, the game is over at that point."

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Check Point released a patch for its latest line of firewalls, the NG, or Next Generation series. The patch corrects a flaw in the way the software inspects Web data passing through the device. The second flaw affects the company's earlier virtual private network product, VPN-1, and won't be fixed, as Check Point no longer supports the software.

"About 70 percent (of our customers) or better are on NG," said Mark Kraynak, product marketing manager for Check Point. "The (earlier version) is no longer supported, so customers still on (that version) are in the process of migrating."

Ingevaldson said the vulnerabilities are serious, but that writing the code to exploit the issues is not easy.

"If you look at the history of the vulnerabilities in Check Point, a lot of them have been theoretical," he said. "In this case, what we are looking at is a machine working in a default environment, in default conditions, and they are still vulnerable."

Both Check Point and ISS have released advisories on the issues.