Bugtraq mailing list archives

Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x

From: jkowall () CINTERACTIVE COM (Jonah Kowall)
Date: Fri, 21 Jan 2000 16:57:16 -0500


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

These are not vulnerabilities in my eyes, they are poor admin
problems:)

1)      This is standard on almost every OS, if you want to be secure run
against RADIUS and have that reject after x failures, or even against
NT.  This is available in checkpoint 3.x and 4.x.

2)      This is absolutely poor configuration.  You should always set to
deny traffic to your firewall, its in every checkpoint book, and
every piece of literature you read about network security.

thanks for hearing me out

- -----Original Message-----
From: root [mailto:saintjon () SYSCONN COM]
Sent: Friday, January 21, 2000 9:32 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x

There are two vulnerabilities in FW-1.  The first is an
authentication
issue, the other  is a configuration issue.  Since I don't have a
copy
of 4.x FW-1 handy maybe someone can check it for me.

#1
The basic authentication used in Checkpoint FW-1 used for
inside/outbound and outside/inbound allows unlimited attempts to
authenticate without a timeout or disconnect between unsuccessful
attempts.  To make matters worse, the attempt at authentication will
let
you know if you have the wrong username before you are allowed to
enter
in the passsword.

The exploit is trivial, grind away at user names until you hit one
that
works and then grind away at passwords with the username you just
found
until you find one that works.

For an example of this, set authentication on the FW-1 software to
authenticate telnet connections.  Telent to a destination past the
firewall, when prompted for a username, pound away.  A script could
crack the authentication in a very short time.

The workaround is to use Checkpoint's encrypted authentication
program
"SecuRemote" and not allow clear text authentication (browser based,
telnet, etc.) to destinations beyond the firewall.

#2
The default configuration in FW-1 allows for rlogin management of the
server.  The rlogin prompt is avaialable on all NICs.  Unless a rule
is
placed in your ruleset to drop or reject all connections to the
firewall, the authentication problem above can be used to remotely
administer someone elses firewall without them knowing.

The workaround is to include the rule.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1

iQA/AwUBOIjWPt1o2HZknv69EQLeZgCgkW62tNKvZHrm7VNAGCdkrlkX0ZAAoIs6
fhOD5pizYcI2gI8KXrV9ZSm4
=2xkT
-----END PGP SIGNATURE-----

Current thread:

Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Scott, Richard (Jan 21)
- <Possible follow-ups>
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Jonah Kowall (Jan 21)