Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x

[markus () HOFMAR DE (Markus Hofmann)]

On Fri, 21 Jan 2000, root wrote:

> #1
> The basic authentication used in Checkpoint FW-1 used for
> inside/outbound and outside/inbound allows unlimited attempts to
> authenticate without a timeout or disconnect between unsuccessful
> attempts.  To make matters worse, the attempt at authentication will let
> you know if you have the wrong username before you are allowed to enter
> in the passsword.
>
> The exploit is trivial, grind away at user names until you hit one that
> works and then grind away at passwords with the username you just found
> until you find one that works.
>
> For an example of this, set authentication on the FW-1 software to
> authenticate telnet connections.  Telent to a destination past the
> firewall, when prompted for a username, pound away.  A script could
> crack the authentication in a very short time.
>
> The workaround is to use Checkpoint's encrypted authentication program
> "SecuRemote" and not allow clear text authentication (browser based,
> telnet, etc.) to destinations beyond the firewall.

In 4.0 this is the same (and 4.1?). another solution is to use
one-time-passwords or generally token based passwords like SecurID (but
the session should additional make use of securemote due to preventing
man-in-the-middle attacks). SecuRemote alone does not prevent from
guessing the username - it only encrypts and authenticate your session.
With VPN-1 4.0 and SecuRemote I get an different error-message if I either
use a wrong username or a wrong password. So you always could guess
usernames (this is maybe only restricted to FWZ and not to IKE - I don't
know)

> #2
> The default configuration in FW-1 allows for rlogin management of the
> server.  The rlogin prompt is avaialable on all NICs.  Unless a rule is
> placed in your ruleset to drop or reject all connections to the
> firewall, the authentication problem above can be used to remotely
> administer someone elses firewall without them knowing.
>
> The workaround is to include the rule.

Isn't this one of the implicit rules? For security I would prefer to
disable all implicit rules (another one is to allow all outgoing packets
originated to the firewall - or to allow all icmp-traffic)

yours sincerely

M. Hofmann

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Markus Hofmann          Phone:    +49 170 2848250
St. Urbanusstr. 15      Fax:      +49 9371 2032
                        E-Mail:   hofmann () hofmar de
63927 Buergstadt        SMS-Mail: sms () hofmar de (Only Subject)
Germany                 PGP-Keys: look at http://www.hofmar.de
---------------------------------------------------------------------
         Only written with 100% recycleable electrons!