R7-0038: Check Point Endpoint Security Server Information Disclosure February 7, 2011 -- Vulnerability Details: The Check Point Endpoint Security Server and Integrity Server products inadvertently expose a number of private directories through the web interface. These directories include the SSL private keys, sensitive configuration files (often containing passwords), and application binaries. Examples of exposed files include: https://server/conf/ssl/apache/integrity-smartcenter.cert https://server/conf/ssl/apache/integrity-smartcenter.key https://server/conf/ssl/apache/integrity.cert https://server/conf/ssl/apache/integrity.key https://server/conf/ssl/apache/smartcenter.cert https://server/conf/ssl/integrity-keystore.jks https://server/conf/ssl/isskeys.jks https://server/conf/ssl/openssl.pem https://server/conf/integrity.xml https://server/conf/jaas/users.xml https://server/bin/DBSeed.xml These files are also exposed via the Tomcat server: http://server:8080/conf/ssl/apache/integrity-smartcenter.cert -- Vendor Response: Check Point has issued a hotfix for Endpoint Security Server versions R71, R72 and R73 and Integrity Server version 7. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57881 This patch blocks remote access to the Tomcat instance (8080) and restricts access to private directories via POST and GET requests. This patch does not prevent a remote attacker from determining the size of a sensitive file by using HEAD requests. -- Disclosure Timeline: 2010-11-08 - Vulnerability reported to Check Point 2010-11-09 - Acknowledgement from Check Point 2010-11-29 - Advisory and hotfix released by Check Point 2011-01-19 - Remote check published for Rapid7 NeXpose 2011-02-07 - Detailed advisory released by Rapid7 -- Credit: This vulnerability was discovered by HD Moore -- About Rapid7 Security Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the NeXpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the W3AF web assessment tool. Our vulnerability disclosure policy is available online at: http://www.rapid7.com/disclosure.jsp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/