Check Point Questions ISS Practices After Bug Errors.
Check Point Software Technologies Ltd yesterday expressed concern about Internet Security Systems Inc's vulnerability research, after two Check Point vulnerabilities ISS found turned out to be not as serious as publicized.
A critical vulnerability originally thought to affect almost a third of Check Point's VPN-1 customers is now believed to affect only a single-digit percentage. Check Point discovered it had already fixed the problem, in two service packs released in 2002.
Check Point said that, contrary to ISS's original alert, the VPN-1 vulnerability was fixed in Next Generation Feature Pack 2 and v4.1 Service Pack 6, which were released to customers in June and April of 2002 respectively.
"We made the assumption that ISS had done their due diligence," Check Point product marketing manager Mark Kraynak said. "The fact that they didn't test 4.1 Service Pack 6 is a problem. I wouldn't begin to speculate why they didn't do that."
Kraynak added that after Check Point discovered the problem was not as serious as it first thought it alerted ISS, which requested a copy of the SP6 code to test, which Check Point provided. ISS confirmed it was not vulnerable.
Chris Rouland, VP of ISS's X-Force vulnerability research team said that SP6 was not available during ISS's initial vulnerability research. "SP6 was not available for download as it was listed as end-of-life," an ISS spokesperson said in a statement.
"Basically we were incorrect about one out of eight service packs," Rouland said, adding that it is the first time the company has made such an error. SP1 though 5 for version 4.1 and SP0 and 1 for NG tested as vulnerable.
SP6 is the most-installed version of the older software, however. Kraynak said over 90% of customers are using protected versions of the software and, of the others, "anecdotally, it seems almost all of those customers are not using VPN" and would not be affected.
ISS updated its advisories over the weekend to reflect the new information, but did not draw attention to the changes or change the dates on the advisories, which are prominently positioned on the company's web site.
The VPN-1 vulnerability is serious, however. It can be exploited to provide attackers with full root access to the firewall, letting them configure it to allow further network breaches, ISS discovered. Check Point advises affected customers to upgrade or call tech support for a fix.
Check Point also says ISS, in a second alert published Friday, mischaracterized the extent of another critical vulnerability it had found, this time in the HTTP inspection features in Check Point's latest NG with Application Intelligence firewalls.
Check Point said that ISS reported that the root-compromise vulnerability, which a patch has been issued for, affected all aspects of HTTP inspection, whereas it actually only affects a component of that feature known as HTTP Security Server.
Check Point's NG with Application Intelligence deep-inspects packets using routines in the kernel and in separate software proxies. Only the HTTP proxy component, which Kraynak said few customers have turned on, is vulnerable.
ISS said it had notified Check Point about the vulnerabilities on February 2 and both ISS and Check Point chose to issue security advisories two days later. This is an unusually fast turnaround for any vendor or researcher.
Kraynak said that Check Point publicized the issues quickly because it believed ISS had done a thorough test, and that it had started receiving inquiries from mutual customers, some of which receive advance vulnerability warnings.
ISS's Rouland characterized the incident as a breakdown of communications between the two companies.
ISS has a responsible disclosure policy of not publicizing vulnerabilities until the affected vendor issues a fix or 30 days elapse without response. It does, however, send advisories to its X-Force Threat Analysis Service customers under non-disclosure agreement one business day after the vendor is notified.
ISS has its roots in the intrusion detection system space, but has made moves over the last twelve months to enter the perimeter security and firewall market, where Check Point is, by some estimates, the market leader.