[NEWS] Checkpoint VPN-1 SecuRemote Flaw (Username Verification)

From: support@securiteam.com
Date: 10/28/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Checkpoint VPN-1 SecuRemote Flaw (Username Verification)
Message-Id: <20011028072510.B45E5138BF@mail.der-keiler.de>
Date: Sun, 28 Oct 2001 08:25:10 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Checkpoint VPN-1 SecuRemote Flaw (Username Verification)
------------------------------------------------------------------------

SUMMARY

During an authentication attempt in the VPN-1 SecuRemote Authentication
dialog box, a failed login due to an incorrect username or password will
result in different responses, depending on the nature of the failure. If
the username is valid and the password is incorrect, SecuRemote will
return a dialog box with the message "Access denied by FireWall-1
authentication". However, if the username is invalid, SecuRemote will
return a dialog box with the message "User <unknown_user> not found".
While this is not an actual security hole, it does allow someone to
determine valid firewall usernames using brute-force techniques.

DETAILS

Vulnerable systems:
4.1 SP4 (4185) VPN+Strong for Windows 2000
4.1 SP4 (4185) VPN+Strong for Windows NT

Vendor status:
Checkpoint was notified on October 16, 2001

Workaround:
One workaround is to define a user in your firewall called 'generic*'
which will match any username. You need to make sure that the user cannot
authenticate or is not specified as the source on any authentication rules
but this will make the firewall report every username as valid.

A slightly more worrying problem with SecuRemote is that it will also
identify which authentication method the user has. If you just specify a
username without a password then SecuRemote will re-display the
authentication window but with a different password prompt such as
'FireWall-1 Password:' or 'PASSCODE:' etc.

ADDITIONAL INFORMATION

The information has been provided by <mailto:dave@mimeo.com> Kratter,
Dave.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages