[13504] in bugtraq
Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x
daemon@ATHENA.MIT.EDU (Scott, Richard)
Sun Jan 23 18:10:51 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <F74E89C7EA1DD31186E900805FA7993002E134F8@cs02mail.bestbuy.com>
Date: Fri, 21 Jan 2000 15:43:48 -0600
Reply-To: "Scott, Richard" <Richard.Scott@BESTBUY.COM>
From: "Scott, Richard" <Richard.Scott@BESTBUY.COM>
X-To: root <saintjon@SYSCONN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Root>
There are two vulnerabilities in FW-1. The first is an
authentication
issue, the other is a configuration issue. Since I don't have a
copy
of 4.x FW-1 handy maybe someone can check it for me.
#1
The basic authentication used in Checkpoint FW-1 used for
inside/outbound and outside/inbound allows unlimited attempts to
authenticate without a timeout or disconnect between unsuccessful
attempts. To make matters worse, the attempt at authentication will
let
you know if you have the wrong username before you are allowed to
enter
in the passsword.
The exploit is trivial, grind away at user names until you hit one
that
works and then grind away at passwords with the username you just
found
until you find one that works.
For an example of this, set authentication on the FW-1 software to
authenticate telnet connections. Telent to a destination past the
firewall, when prompted for a username, pound away. A script could
crack the authentication in a very short time.
The workaround is to use Checkpoint's encrypted authentication
program
"SecuRemote" and not allow clear text authentication (browser based,
telnet, etc.) to destinations beyond the firewall.
Surely this work around doesn't work. Unless I am mistaken, it
matters not whether you use the encrypted method or not. The problem is the
authentication can be brute force until the cows come home. Using
encryption isn't the key, logging failed attempts and account closure would
be better, along with not hinting at usernames too!
Whether the authentication method does this anti brute force check I
as yet do not know.
Cheers
r.
Richard Scott
BestBuy.Com
* Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA
The views expressed in this email do not represent Best Buy
or any of its subsidiaries.
