Check Point防火墙- 1 LDAP验证漏洞

漏洞信息详情

Check Point防火墙- 1 LDAP验证漏洞

• CNNVD编号：CNNVD-199910-033
• 危害等级： 高危
  
  
• CVE编号：
  CVE-1999-0895
  
• 漏洞类型：
  
  
  访问验证错误
  
• 发布时间：
  
  1999-10-20
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2006-01-04
  
• 厂        商：
  
  checkpoint
• 漏洞来源：
  This vulnerability…

Firewall-1不能准确地限制LDAP属性的访问。

Check Point Support emailed the following information to vuldb@securityfocus.com:
Resolution: After investigation, Check Point Software confirms this as the appropriate behavior with “standard” checked in “Required Sign On” field under “Client Authentication”. In other words, when using “standard” sign-on, the “Destination” field under “Client Authentication” properties cannot be intersected with the user database property which defines user access to specific destinations. Accordingly, the “Destination” field is grayed out in the Client Authentication Action Properties. This information is documented on Page 534 of VPN-1/FW-1 Administration Guide where it is stated that under such circumstances, the “Destination” field is automatically set to “Ignore User Database” and that the user can access all destinations allowed by the rule. The VPN-1/FW-1 GUI can cause confusion because it simply grays out the value set in “Destination” field instead of setting it to “Ignore User Database”. But internally, the “Destination” value is set to “Ignore User Database”. The GUI will be amended in the subsequent release of VPN-1/FW-1 to make this more clear. It is important to note that the “Source” field can be intersected with user database even if standard sign-on is selected under Client Authentication.
Also, this behavior is independent of whether the user is defined in VPN-1/FW-1 internal database or an external LDAP-complaint directory server.
If one would like to enforce the “allowed-destinations” attribute (defined for each user) under Client Authentication Rule, the “Required Sign On” field must be set to “Specific”, and an appropriate Sign-On Method should be selected.
This limitation does not exist under User Authentication Rules.
@ts.checkpoint.com>

来源: BUGTRAQ
名称: 19991020 Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991020150002.21047.qmail@tarjan.mediaways.net

来源: BID
名称: 725
链接:http://www.securityfocus.com/bid/725

来源: OSVDB
名称: 1117
链接:http://www.osvdb.org/1117