Security Best Practice: Adobe Flash Proxy Auto-Discovery DHCP Traffic Inspection

Vulnerability
Protection

Check Point Reference:	SBP-2008-11
Date Published:
Severity:
Source:	SmartDefense Research Center
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 VSX NGX R65 InterSpect NGX
Who is Vulnerable? Microsoft Windows Systems
Vulnerability Description The Dynamic Host Configuration Protocol (DHCP) is a protocol used by networked devices to obtain the parameters necessary for operation in an Internet Protocol network. This protocol reduces system administration workload, allowing devices to be added to the network with little or no manual configuration. Adobe Flash is a multimedia software that is commonly used to create animation, advertisements, and various web page components. There is a feature in Flash Player 8 that allows auto discovery of an Edge server on a local network. When the connection is created a broadcast is sent on the DHCP port, the Edge server answers the request and the Flash Player reconnects through the edge server. The SmartDefense DHCP Protocol Enforcement protection is blocking this kind of pseudo-DHCP traffic by default. The update enables users to allow such traffic without inspection.

Vulnerability Details
The update allows users to configure the DHCP protection: when the "Do not inspect Adobe Flash 8 Proxy Auto-Discovery pseudo DHCP" inner checkbox is selected, this type of packets will not be inspected (as they aren't real DHCP packets). An appropriate log will be issued upon discovery of such traffic (even when allowed) according to the track option.

Protection Overview
The SmartDefense DHCP protection is enforcing the DHCP protocol, blocking the pseudo-DHCP packets of Adobe Flash 8.0.
Users are recommended not to activate the "Do not inspect Adobe Flash 8 Proxy Auto-Discovery pseudo DHCP" checkbox and only do so if many Adobe Flash logs are issued from the DHCP protection.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > DHCP.
2. In the configuration pane, under Settings > Mode, check Active.
3. In order to allow the Adobe Flash traffic, select the following checkbox:

Do not inspect Adobe Flash 8 Proxy Auto-Discovery pseudo DHCP

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: DHCP Protocol Enforcement Violation
Attack Information: Adobe Flash Proxy Auto-Discovery traffic detected

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > DHCP.
2. In order to allow the Adobe Flash traffic, in the configuration pane select the following checkbox:

Do not inspect Adobe Flash 8 Proxy Auto-Discovery pseudo DHCP

3. Install policy on all modules.

VPN-1 VSX NGX R65

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > DHCP.
3. In order to allow the Adobe Flash traffic, in the configuration pane select the following checkbox:

Do not inspect Adobe Flash 8 Proxy Auto-Discovery pseudo DHCP

4. Install policy on all modules.

Legal Notice for Threat Center Advisories