This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
diogoreis
Explorer
‎2022-03-22 11:07 AM

Connection Reset with specific HTML white-space: pre-line

There is a specific substring in HTML files that causes a connection reset when serving the request, and it seems to be caused by the Check Point VPN.

I've tested in three different clients' Check Point VPNs, in several browsers (Chrome, Firefox, Edge, Internet Explorer). The file is being hosted on a IIS server. Browsing on the server, the page shows correctly, only when outside the server, when the request must pass through the VPN, does the issue occur. I've tried on different VPNs without any issues.

 

The minimum HTML file content that causes the problem (the newline is necessary), and yes I know this is not a valid HTML file, this was the least amount of HTML that manages to cause the connection reset.:

<p>{white-space: pre-line;}</p>
X

 

Here is a valid HTML file that also causes the problem:

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <style type="text/css">
    body { white-space: pre-line; }
  </style>
</head>
<body>
  <h1>HTML test</h1>
</body>
</html>

 

Has anyone reported a similar issue, or can anyone reproduce the problem please?

Thank you very for your help

Labels
0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2022-03-22 02:20 PM

What precise version/JHF level are we talking about?
Also, what drops do you see on the gateway side in the logs?
I suspect an IPS or Core protection is being triggered.

diogoreis
Explorer
‎2022-03-25 03:44 AM
In response to PhoneBoy

First of all, thank you for your reply. We were able to use a workaround for the problem.

The person responsible for the changes in the Check Point configuration described to us the issue and workaround. Any errors or mistranslations are my fault, so I apologise in advance.

> What precise version/JHF level are we talking about?
Checkpoint 6000 em R80.40 JHF-Take156.

> Also, what drops do you see on the gateway side in the logs?
There were no drops on the gateway. When the IPS Software Blade was specified, they were able to confirm that Check Point was blocking the access to that specific URL.

> I suspect an IPS or Core protection is being triggered.
The IPS Software Blade was preventing access to the URL. Source Atack Name: Web Client Enforcement Violation / Atack Information: Microsoft Internet Explorer Memory Corruption (MS16-104: CVE-2016-3247)
The workaround used was: an exception to the action of that Violation (MS16-104: CVE-2016-3247) in the internal networks, because of VPN use, when accessing the URL by http/https.


I believe the issue is described here:
https://www.exploit-db.com/exploits/40797

The mitigation used seems more broad than necessary, given that the following HTML is blocked:

<p>{white-space: pre-line;}</p>
X

Thank you again for your help

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events