[VIM] unverifiable: CVE-2008-5850 / Check Point "SPLAT" issue

Fri Jan 9 21:25:32 UTC 2009

All,

A clarification on a Check Point issue that's been going around.

We published CVE-2008-5850 for a Full-Disclosure post by an unknown party
who may be selling exploit details for auction.  We've had inconsistent
policy on how to handle claims that contain no actionable details.  We
used to do this for bug auctions, but it was too unwieldy and you never
actually knew what was being reported.  Lately, we have generally limited
this practice to reliable parties - which usually means pre-announcements.
This also has its down side (e.g. assigning one generic CVE when multiple
issues may be disclosed).  At any rate, the assignment of CVE-2008-5850
probably wasn't consistent with our normal practices.  But now the CVE is
out, and of course the original Full-Disclosure post is archived in many
places.  Unless there is some clear public claim from a reliable party, or
otherwise verifiable information is provided, we are marking the CVE as
"UNVERIFIABLE."

- Steve

======================================================
Name: CVE-2008-5850
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5850
Acknowledged: unknown
Announced: 20081211
Flaw: unk
Reference: FULLDISC:20081211 Checkpoint Sources plus SPLAT Remote Root Exploit
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0343.html
Reference: MLIST:[scadasec] 20081211 Checkpoint Sources plus SPLAT Remote Root Exploit.
Reference: URL:http://news.infracritical.com/pipermail/scadasec/2008-December/002627.html
Reference: MISC:http://packetstormsecurity.org/0812-advisories/checkpwnt-src.txt

** UNVERIFIABLE **

Unspecified vulnerability in the SmartCenter server for Check Point
VPN-1 R55 through R65, as used in SecurePlatform, allows remote
attackers to change the admin and expert passwords, and possibly have
other impact, via unknown vectors involving a TCP session on the Check
Point Management Interface (CPMI) port (18190/tcp), aka "SPLAT Remote
Root Exploit."  NOTE: this issue has no actionable details and was
disclosed by a person of unknown reliability who did not coordinate
with the vendor.  As of 20090109, there has not been an independent
public confirmation of this issue by a reliable party.  CVE has no
additional information regarding whether the original claim was valid
or not.

Analysis:
INCLUSION: This was posted anonymously to FULLDISC. There were no
disputes or other followup posts on FULLDISC. On a separate mailing
list, a third party (Francisco Guerreiro) states that "yes, it IS
real." The third party apparently has some subject matter expertise
(e.g., see www.linkedin.com/in/francisg). There was one followup
(002629.html) from a reliable researcher (Jeremy Brown) who stated
that it was an "Interesting post" and did not dispute the original
FULLDISC claims. Also, the original FULLDISC post was picked up by
packet storm.

WIKI: Note that SPLAT is another name for the Check Point
SecurePlatform product. SPLAT is not the name of the exploit code.