topic Re: Vulnerability on CheckPoint Banner disclosure in General Topics

Vulnerability on CheckPoint Banner disclosure

Prabulingam_N1 — Wed, 10 Jan 2018 14:15:57 GMT

Dear All,

I have a customer reporting on VA report with below:

Banner Disclosure: Fingerprinting

Per their VA scan - Outside Scan done on External IP of Firewall on Port:443

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

HTTP/1.0 404 Not found
Date: Thu, 21 Oct 2017 17:17:50 GMT
Server: Check Point SVN Foundation
Conten-Type: text/html
X-UA-Compatible: IE-EmulateIE7
Conenction: Close
X-Frame-Options: SAMEORIGIN
Last-Modified: Sat, 17 Jan 2015 19:00:00 GMT
Content-Length: 204

<HTML>
<HEAD>
<TITLE>404 File Not Found >/TITLE>
</HEAD>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Per above, it means that External person knows that the organisation is Protected by CheckPoint Firewall and can focus on some accurate methods inorder to enter internal networks.

So customer would like to make the Banner display: CheckPOint SVN Foundation to be masked.

Is there any possibility?

Note: Customer do not have IPS Blade

Scan has done using Burp Suite Tool v1.7.03 Free edition

Any response would be helpful.

Regards, Prabulingam.N

Re: Vulnerability on CheckPoint Banner disclosure

PhoneBoy — Wed, 10 Jan 2018 17:12:44 GMT

Are you using any features that require the gateway to be accessed on port 443 externally?

If not, you might want to prevent access to it entirely.

See: HTTP and HTTPS requests to external interfaces create implied rule 0 accepts in SmartView Tracker

As far as I know, there is no way to change the banner in this situation.

Re: Vulnerability on CheckPoint Banner disclosure

Michael_Lawrenc — Wed, 10 Jan 2018 23:53:24 GMT

I would also point out that I have yet to find a way to make a gateway invisible on port 43. Even with implied rules off, and an explicit rule blocking port 43, it still shows up in scans. Traffic to 43 does get BLOCKED, but the port is still VISIBLE. Why the daemon is responding in any way when I've written an explicit stealth rule is beyond me and something I wish Check Point would fix. (Why is it sending an ACK? The SYN should die in the kernel.) It's a security device - we need to have the ability to make any port completely dark. Yeah, I know, the Big Boys want "ease of use." But, seriously, we should be able to turn a firewall into a black hole to any scan on any interface. Customer do NOT like it when their firewall shows up on a scan and they can't make it go away. (I've run into this on both R77 and R80)

Re: Vulnerability on CheckPoint Banner disclosure

PhoneBoy — Thu, 11 Jan 2018 00:15:11 GMT

The SK I linked to earlier should resolve that issue.

Re: Vulnerability on CheckPoint Banner disclosure

Hugo_vd_Kooij — Thu, 11 Jan 2018 08:19:02 GMT

Your firewall is also a router. So if there is any server at all visible behind the firewall you will be able to detect the firewall.

Just like you can map the Chinese wall on internet for HTTP traffic.

Re: Vulnerability on CheckPoint Banner disclosure

Prabulingam_N1 — Thu, 11 Jan 2018 11:08:53 GMT

Yes, it is.

Since customer had an internal server we have steps inorder to remove those hearders of Server.

But CheckPoint SVN header cannot be removed?

Regards, Prabulingam.N

Re: Vulnerability on CheckPoint Banner disclosure

PhoneBoy — Thu, 11 Jan 2018 14:46:35 GMT

We provide no way to remove the banner and as noted in SK, it's expected behavior: Server disclosure on port 18264

Even if we removed the banner, there are less obvious ways to tell a gateway is Check Point, for example the various ports we use: Ports used by Check Point software

Re: Vulnerability on CheckPoint Banner disclosure

Prabulingam_N1 — Sat, 13 Jan 2018 16:53:05 GMT

Dear Dameon,

Thanks for your inputs.

Regards, Prabulingam.N