Re: [FW-1] Asn.1 vulnerabilty without aggresive mode

Subject:	Re: [FW-1] Asn.1 vulnerabilty without aggresive mode
From:	Reinhard Stich <r.stich AT INTERNET-SECURITY DOT AT>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Fri, 30 Jul 2004 08:31:53 +0200

--On Donnerstag, 29. Juli 2004 13:48 +0200 Jochen Vogel <jvogel AT IT-SEC DOT 
DE>
wrote:

Is there any vulnerability if i doesn´t use aggresive mode?


My interpretation is "YES" - but I'm also not sure about this.


the answer is: "yes"

The difference is that you need to have a "real communication". The
one-packet attack with aggressive mode is also possible with spoofed source
addresses because you don't need any reply from the FW to arrive at your
end.


this is correct.

the difference is:
if your VPN-partner attacks you, you have really more problems than only a
bug in your fw1 ...

so:
* if you have client-VPN -> install the patch quickly
* if you have only site-2-site VPN and no ike from "everywhere" -> install
the patch but it's not urgent
* if you don't use VPN -> it's not urgent
* if you have 4.1 -> no problem

hope this helps

reinhard

regards

Joachim Bassmann, DELOS AG, Stuttgart, Germany
------------------------------------------------------------
Erst wenn das letzte Counterstrike indiziert, der letzte Videofilm verboten,
und das Internet geschlossen ist, werdet Ihr merken, daß Ihr Eure Kinder
doch erziehen müsst. - ChaosWarrior AT AreaDVD DOT de

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


--
Reinhard Stich  ASSIST  R.Stich AT internet-security DOT at
Internet Security AG,      1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Asn.1 vulnerabilty without aggresive mode, Jochen Vogel Re: [FW-1] Asn.1 vulnerabilty without aggresive mode, Joachim Bassmann Re: [FW-1] Asn.1 vulnerabilty without aggresive mode, Reinhard Stich <= [FW-1] SHF_HFA_R55_08 for IPSO, Juan Andrés Galavís Re: [FW-1] SHF_HFA_R55_08 for IPSO, Ulli Ulrich Message not available Re: [FW-1] SHF_HFA_R55_08 for IPSO, Joe Matusiewicz [FW-1] Asn.1 vulnerabilty without aggresive mode, Thorsten Behrens

Previous by Date:	Re: [FW-1] HOWTO change the SNMP community string in a cluster?, Michael Schwartzkopff
Next by Date:	Re: [FW-1] Ports to open on a Linux firewall, Kitchener, Steve
Previous by Thread:	Re: [FW-1] Asn.1 vulnerabilty without aggresive mode, Joachim Bassmann
Next by Thread:	[FW-1] SHF_HFA_R55_08 for IPSO, Juan Andrés Galavís
Indexes:	[Date] [Thread] [Top] [All Lists]