R7-0038: Check Point Endpoint Security Server Information Disclosure February 7, 2011 -- Vulnerability Details: The Check Point Endpoint Security Server and Integrity Server products inadvertently expose a number of private directories through the web interface. These directories include the SSL private keys, sensitive configuration files (often containing passwords), and application binaries. Examples of exposed files include: https://server/conf/ssl/apache/integrity-smartcenter.cert https://server/conf/ssl/apache/integrity-smartcenter.key https://server/conf/ssl/apache/integrity.cert https://server/conf/ssl/apache/integrity.key https://server/conf/ssl/apache/smartcenter.cert https://server/conf/ssl/integrity-keystore.jks https://server/conf/ssl/isskeys.jks https://server/conf/ssl/openssl.pem https://server/conf/integrity.xml https://server/conf/jaas/users.xml https://server/bin/DBSeed.xml These files are also exposed via the Tomcat server: http://server:8080/conf/ssl/apache/integrity-smartcenter.cert -- Vendor Response: Check Point has issued a hotfix for Endpoint Security Server versions R71, R72 and R73 and Integrity Server version 7. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57881 This patch blocks remote access to the Tomcat instance (8080) and restricts access to private directories via POST and GET requests. This patch does not prevent a remote attacker from determining the size of a sensitive file by using HEAD requests. -- Disclosure Timeline: 2010-11-08 - Vulnerability reported to Check Point 2010-11-09 - Acknowledgement from Check Point 2010-11-29 - Advisory and hotfix released by Check Point 2011-01-19 - Remote check published for Rapid7 NeXpose 2011-02-07 - Detailed advisory released by Rapid7 -- Credit: This vulnerability was discovered by HD Moore
Advertisement
