‘Checkpoint VPN-1 SecuRemote Flaw (Username Verification)’

Summary

‘During an authentication attempt in the VPN-1 SecuRemote Authentication dialog box, a failed login due to an incorrect username or password will result in different responses, depending on the nature of the failure. If the username is valid and the password is incorrect, SecuRemote will return a dialog box with the message ‘Access denied by FireWall-1 authentication’. However, if the username is invalid, SecuRemote will return a dialog box with the message ‘User <unknown_user> not found’. While this is not an actual security hole, it does allow someone to determine valid firewall usernames using brute-force techniques.’

Credit:

‘The information has been provided by Kratter, Dave.’


Details

Vulnerable systems:
4.1 SP4 (4185) VPN+Strong for Windows 2000
4.1 SP4 (4185) VPN+Strong for Windows NT

Vendor status:
Checkpoint was notified on October 16, 2001

Workaround:
One workaround is to define a user in your firewall called ‘generic*’ which will match any username. You need to make sure that the user cannot authenticate or is not specified as the source on any authentication rules but this will make the firewall report every username as valid.

A slightly more worrying problem with SecuRemote is that it will also identify which authentication method the user has. If you just specify a username without a password then SecuRemote will re-display the authentication window but with a different password prompt such as ‘FireWall-1 Password:’ or ‘PASSCODE:’ etc.’

Categories: News