Remote users at risk from CheckPoint Firewall-1 hole

Businesses using CheckPoint's flagship Firewall-1 product are at risk from two potentially serious flaws, according to security...

Businesses using CheckPoint's flagship Firewall-1 product are at risk from two potentially serious flaws, according to security consultants NTA Monitor.

The flaws in the widely-used package could leave businesses vulnerable to hackers using a dictionary attack to target password programs.

CheckPoint told it was investigating the NTA Monitor report.

Most authentication systems require both a username and password before the server acknowledges the login attempt. However, NTA Monitor said that some versions of Firewall-1 allow a remote attacker to determine if a remote user's username is valid without having to know the associated password.

This could then be exploited in a dictionary attack, according to Roy Hills, technical Director of NTA Monitor. "The main problem is that you do not have to specify a username and password combination in order for Firewall-1 to send a response," said Hills.

A hacker could build a list of valid usernames through trial and error. "Once you have found a valid username, you can determine the password easily as people tend to choose simple, easy to remember passwords," Hills added.

With a valid username and password combination, a hacker could log in as a remote user directly through the firewall on to the corporate network. Hills said NTA Monitor was able to check 10,000 usernames at a rate of 67 guesses per second.

Another related flaw in Firewall-1 would allow an attacker using network packet sniffing tools to steal usernames and passwords of remote users logging into the Firewall-1 virtual private network, according to NTA Monitor.

NTA Monitor said the problem was with the way Firewall-1 handled the password authentication. Hills warned that there was no easy workaround. "Your only option," he said, "is to use PKI (public key infrastructure) certificates or a secure identity server." Neither approach offers a short-term fix as both involve making changes to IT infrastructure, Hills said.

According to NTA Monitor, the flaws affect Firewall-1 versions 4.0, 4.1, NG, NG FP1 and NG FP2 that use the IKE (Internet Key Exchange) encryption scheme configured with shared secret authentication for remote VPN user.

Read more on IT risk management