RE: Check Point VPN-1 SecuRemote Flaw

[Andy Fiddaman <af () objectronix co uk>]

One workaround is to define a user in your firewall called
'generic*' which will match any username. You need to make
sure that the user can't authenticate or isn't specified as
the source on any authentication rules but this will make
the firewall report every username as valid.

A slightly more worrying problem with SecuRemote is that it
will also identify which authentication method the user has.
If you just specify a username without a password then
SecuRemote will re-display the authentication window but
with a different password prompt such as 'FireWall-1
Password:' or 'PASSCODE:' etc.

; -----Original Message-----
; From: Kratter, Dave [mailto:dave () mimeo com]
; Sent: 23 October 2001 22:07
; To: 'bugtraq () securityfocus com'
; Subject: Check Point VPN-1 SecuRemote Flaw
; 
; 
; Summary:
;       SecuRemote will show whether a username is
recognized 
; during failed
; login attempts
; 
; Versions Tested:
;       4.1 SP4 (4185) VPN+Strong for Windows 2000
;       4.1 SP4 (4185) VPN+Strong for Windows NT
; 
; Description:
;       During an authentication attempt in the VPN-1
SecuRemote
; Authentication dialog box, a failed login due to an
incorrect 
; username or
; password will result in different responses, depending on
the 
; nature of the
; failure. If the username is valid and the password is 
; incorrect, SecuRemote
; will return a dialog box with the message "Access denied
by FireWall-1
; authentication". However, if the username is invalid, 
; SecuRemote will return
; a dialog box with the message "User <unknown_user> not 
; found". While this is
; not a security hole per se, it does allow someone to
determine valid
; firewall usernames (given enough patience).
; 
; Workaround:
;       Unknown
; 
; Vendor Status:
;       Check Point was notified on October 16, 2001
; 
; 
; 
; David B. Kratter
; Mimeo.com, Inc.
; Quality Assurance Technical Engineer
; 
; Mimeo.com. Click.Print.Bind.Deliver.sm
;