The most secure version of the Check Point Firewall-1 has been hacked. The target of evaluation has been the Secure Platform R60, an EAL4+ assurance level certified and following the Common Criteria. Certification process has been done by NIST and NSA.

Penetration tester Hugo Vázquez Caramés achieved a local privilege exploit on the target system which allows a restricted user to bypass several security mechanisms to finally get root access to the Firewall-1.

Even if this hack does not impose a high security risk itself, it on one hand shows weaknesses in the certification process done by the NIST and NSA and on the other hand proves that there are no additional security mechanisms to completely avoid the exploit of buffer overflows - they only make hacking more time-expensive.
In addition Hugo found several other binaries on the system which use function calls which are potentially vulnerable by buffer overflow attacks. So a remote exploitable hack of Firewall-1 could be theoretically possible and the result would be complete access to the firewall and indirectly to the backend system.

The problem is the underlying concept of common firewall systems. They claim to be secure but if they are hacked all data and the backend system are offended to the attacker.

In his paper Hugo gives the advice to use firewall systems based on trusted operating systems using domain based access control - here the QTrust Server fits perfectly. The QTrust server of cause is a hardened system but instead of claiming to be unbreakable it additionally minimizes the impact of a successful attack by restricting process privileges with PitBull trusted OS.

For more information about the QTrust Server and its benefits please contact us and just ask for an appointment for a web based presentation (using WebEx).

The paper describing the hacking procedure including pages 215 f. for the not security accomplished user can be found at http://www.pentest.es/checkpoint_hack.pdf.

contact

register on the QTrust RSS feed