[security-alerts] FW: [SA17621] Check Point Firewall/VPN ISAKMP IKE Message Processing Denial of Service

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

> 
> 
> TITLE:
> Check Point Firewall/VPN ISAKMP IKE Message Processing Denial of
> Service
> 
> SECUNIA ADVISORY ID:
> SA17621
> 
> VERIFY ADVISORY:
> http://secunia.com/advisories/17621/
> 
> CRITICAL:
> Less critical
> 
> IMPACT:
> DoS
> 
> WHERE:
> From remote
> 
> OPERATING SYSTEM:
> Check Point NGX
> http://secunia.com/product/6010/
> 
> SOFTWARE:
> Check Point Express CI
> http://secunia.com/product/6149/
> Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI)
> http://secunia.com/product/2542/
> Check Point VPN-1/Firewall-1 NG
> http://secunia.com/product/89/
> Check Point FireWall-1 GX 3.x
> http://secunia.com/product/6148/
> 
> DESCRIPTION:
> A vulnerability has been reported in Check Point VPN-1/Firewall-1,
> which can be exploited by malicious users to cause a DoS (Denial of
> Service).
> 
> For more information:
> SA17553
> 
> Successful exploitation reportedly requires that the attacker is able
> to perform a full IKE negotiation with the affected system and
> requires authentication.
> 
> The vulnerability has been reported in the following versions.
> * VPN-1/Firewall-1 NG with AI R54 prior to HFA_417.
> * VPN-1/Firewall-1 NG with AI R55 prior to HFA_16.
> * VPN-1/Firewall-1 NG with AI R55W prior to HFA_04.
> * VPN-1/Firewall-1 NG with AI R55P prior to HFA_06.
> * VPN-1 Pro NGX R60 prior to HFA_01.
> * Check Point Express CI R57.
> * Firewall-1 GX 3.0.
> 
> SOLUTION:
> Install the latest HFA (HotFix Accumulator).
> 
> Note: A fix will reportedly not be released for NG FP3. The vendor
> recommends upgrading to a recent version, and to the most recent HFA
> of this version.
> 
> The vendor reportedly will release hotfixes for Check Point Express
> CI and Firewall-1 GX 3.0 at a later date.
> 
> OTHER REFERENCES:
> SA17553:
> http://secunia.com/advisories/17553/
>