N/A

Check Point VPN-1 R55, R65, and other versions, when Port Address Translation (PAT) is used, allows remote attackers to discover intranet IP addresses via a packet with a small TTL, which triggers an ICMP_TIMXCEED_INTRANS (aka ICMP time exceeded in-transit) response containing an encapsulated IP packet with an intranet address, as demonstrated by a TCP packet to the firewall management server on port 18264.

N/A

N/A

Check Point VPN-1防火墙产品端口地址翻译信息泄露漏洞

Check Point VPN-1 Power和UTM都是Check Point开发的防火墙类产品。 如果远程攻击者向VPN-1 Power和UTM所发送的特制报文被端口地址翻译(PAT)映射到内部设备上的端口的话，生成的ICMP错误报文中可能会包含有关内部网络的信息。此时如果存活时间(TTL)设置的过低的话，上述防火墙产品就无法正确的过滤ICMP报文中的封装IP头，导致泄露内部IP地址。

N/A

N/A