ISS X-Force Database: fw1-ike-username-enumeration(10034): Check Point FireWall-1/VPN-1 SecuRemote/SecureClient IKE Aggressive Mode username enumeration

Check Point FireWall-1/VPN-1 SecuRemote/SecureClient IKE Aggressive Mode username enumeration

fw1-ike-username-enumeration (10034)

Low Risk

Description:

Check Point VPN-1/FireWall-1 could allow a remote attacker to determine valid usernames. If an attacker uses either SecuRemote or SecureClient's "IKE Aggressive Mode" authentication, the firewall sends a different response depending on whether an invalid or valid username is submitted. This could allow a remote attacker to determine valid usernames and possibly gain unauthorized access to the system.

Platforms Affected:

CheckPoint, VPN-1 FireWall-1 4.0
CheckPoint, VPN-1 FireWall-1 4.1

Remedy:

Disable QUOT;IKE Aggressive Mode" and use "Hybrid Mode" for authentication. See References.

Consequences:

Bypass Security

References:

BugTraq Mailing List, Tue Sep 03 2002 - 06:08:48 CDT , SecuRemote usernames can be guessed or sniffed using IKE exchange at http://archives.neohapsis.com/archives/bugtraq/2002-09/0017.html.
Check Point Services and Downloads, IKE Aggressive Mode at http://www.checkpoint.com/techsupport/alerts/ike.html.
Full-Disclosure Mailing List, Tue Sep 03 2002 - 16:14:40 CDT, Check Point statement on use of IKE Aggressive Mode at http://archives.neohapsis.com/archives/fulldisclosure/2002-q3/0725.html.
SecuriTeam Mailing List, SecurityNews 9 Sept 2002, Checkpoint FW-1 VPN Security Flaw (updated) at http://www.securiteam.com/securitynews/5TP040U8AW.html.
BID-5607: Check Point Firewall-1 SecuRemote IKE Username Guessing Vulnerability
CVE-2002-1623: The design of the Internet Key Exchange (IKE) protocol, when using Aggressive Mode for shared secret authentication, does not encrypt initiator or responder identities during negotiation, which may allow remote attackers to determine valid usernames by (1) monitoring responses before the password is supplied or (2) sniffing, as originally reported for FireWall-1 SecuRemote.
US-CERT VU#886601: Internet Key Exchange (IKE) protocol discloses identity when Aggressive Mode shared secret authentication is used

Reported:

Sep 03, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page