One workaround is to define a user in your firewall called 'generic*' which will match any username. You need to make sure that the user can't authenticate or isn't specified as the source on any authentication rules but this will make the firewall report every username as valid. A slightly more worrying problem with SecuRemote is that it will also identify which authentication method the user has. If you just specify a username without a password then SecuRemote will re-display the authentication window but with a different password prompt such as 'FireWall-1 Password:' or 'PASSCODE:' etc. ; -----Original Message----- ; From: Kratter, Dave [mailto:dave@mimeo.com] ; Sent: 23 October 2001 22:07 ; To: 'bugtraq@securityfocus.com' ; Subject: Check Point VPN-1 SecuRemote Flaw ; ; ; Summary: ; SecuRemote will show whether a username is recognized ; during failed ; login attempts ; ; Versions Tested: ; 4.1 SP4 (4185) VPN+Strong for Windows 2000 ; 4.1 SP4 (4185) VPN+Strong for Windows NT ; ; Description: ; During an authentication attempt in the VPN-1 SecuRemote ; Authentication dialog box, a failed login due to an incorrect ; username or ; password will result in different responses, depending on the ; nature of the ; failure. If the username is valid and the password is ; incorrect, SecuRemote ; will return a dialog box with the message "Access denied by FireWall-1 ; authentication". However, if the username is invalid, ; SecuRemote will return ; a dialog box with the message "User <unknown_user> not ; found". While this is ; not a security hole per se, it does allow someone to determine valid ; firewall usernames (given enough patience). ; ; Workaround: ; Unknown ; ; Vendor Status: ; Check Point was notified on October 16, 2001 ; ; ; ; David B. Kratter ; Mimeo.com, Inc. ; Quality Assurance Technical Engineer ; ; Mimeo.com. Click.Print.Bind.Deliver.sm ;
