Remote users at risk from CheckPoint Firewall-1 hole
Businesses using CheckPoint's flagship Firewall-1 product are at risk from two potentially serious flaws, according to security...
The flaws in the widely-used package could leave businesses vulnerable to hackers using a dictionary attack to target password programs.
CheckPoint told CW360.com it was investigating the NTA Monitor report.
Most authentication systems require both a username and password before the server acknowledges the login attempt. However, NTA Monitor said that some versions of Firewall-1 allow a remote attacker to determine if a remote user's username is valid without having to know the associated password.
This could then be exploited in a dictionary attack, according to Roy Hills, technical Director of NTA Monitor. "The main problem is that you do not have to specify a username and password combination in order for Firewall-1 to send a response," said Hills.
A hacker could build a list of valid usernames through trial and error. "Once you have found a valid username, you can determine the password easily as people tend to choose simple, easy to remember passwords," Hills added.
With a valid username and password combination, a hacker could log in as a remote user directly through the firewall on to the corporate network. Hills said NTA Monitor was able to check 10,000 usernames at a rate of 67 guesses per second.
Another related flaw in Firewall-1 would allow an attacker using network packet sniffing tools to steal usernames and passwords of remote users logging into the Firewall-1 virtual private network, according to NTA Monitor.
NTA Monitor said the problem was with the way Firewall-1 handled the password authentication. Hills warned that there was no easy workaround. "Your only option," he said, "is to use PKI (public key infrastructure) certificates or a secure identity server." Neither approach offers a short-term fix as both involve making changes to IT infrastructure, Hills said.
According to NTA Monitor, the flaws affect Firewall-1 versions 4.0, 4.1, NG, NG FP1 and NG FP2 that use the IKE (Internet Key Exchange) encryption scheme configured with shared secret authentication for remote VPN user.