‘Check Point Endpoint Security Server Information Disclosure Vulnerability’

Summary

The Check Point Endpoint Security Server and Integrity Server products inadvertently expose a number of private directories through the web interface.’

Credit:

‘The information has been provided by HD Moore.
The original article can be found at: http://seclists.org/fulldisclosure/2011/Feb/118


Details

‘Details:
Vulnerable Systems:
 * Check Point Server version R71
 * Check Point Server version R72
 * Check Point Server version R73
 * Check Point Server version Integrity Server version 7.

Examples of exposed files include:
https://server/conf/ssl/apache/integrity-smartcenter.cert
https://server/conf/ssl/apache/integrity-smartcenter.key
https://server/conf/ssl/apache/integrity.cert
https://server/conf/ssl/apache/integrity.key
https://server/conf/ssl/apache/smartcenter.cert
https://server/conf/ssl/integrity-keystore.jks
https://server/conf/ssl/isskeys.jks
https://server/conf/ssl/openssl.pem
https://server/conf/integrity.xml
https://server/conf/jaas/users.xml
https://server/bin/DBSeed.xml

These files are also exposed via the Tomcat server:
http://server:8080/conf/ssl/apache/integrity-smartcenter.cert

The directories include the SSL private keys, sensitive configuration files (often containing passwords), and application binaries.

Patch Availability:
This patch blocks remote access to the Tomcat instance (8080) and restricts access to private directories via POST and GET requests. This patch does not prevent a remote attacker from determining the size of a sensitive file by using HEAD requests.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57881

Disclosure Timeline:
2010-11-08 – Vulnerability reported to Check Point
2010-11-09 – Acknowledgement from Check Point
2010-11-29 – Advisory and hotfix released by Check Point
2011-02-07 – Detailed advisory released’

Categories: News