The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of CheckPoint SecuRemote

computer vulnerability bulletin CVE-2012-2753

Check Point Endpoint Connect: command execution via DLL Preload

Synthesis of the vulnerability

An attacker can create a malicious DLL and invite the victim to open Check Point Endpoint Connect in the same directory, in order to execute code.
Impacted products: CheckPoint Endpoint Security, CheckPoint SecureClient, CheckPoint SecuRemote.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 11/06/2012.
Identifiers: BID-53925, CERTA-2012-AVI-318, CVE-2012-2753, sk76480, VIGILANCE-VUL-11688.

Description of the vulnerability

The Check Point Endpoint Connect (TrGUI.exe) product loads a library insecurely.

An attacker can thus use the VIGILANCE-VUL-9879 vulnerability to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 11424

Check Point Firewall VPN-1: obtaining the hostname

Synthesis of the vulnerability

An unauthenticated attacker can send a query to the SecuRemote Topology service, in order to obtain the name of the firewall.
Impacted products: CheckPoint SecuRemote, VPN-1.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 12/03/2012.
Identifiers: sk69360, VIGILANCE-VUL-11424.

Description of the vulnerability

The VPN SecuRemote service of the Check Point firewall listens on port 264/tcp, in order to provide topology information to VPN clients.

An unauthenticated client can connect to this service, and obtains a certificate. However, the Common Name field of this certificate indicates the firewall name and the SmartCenter name.

An unauthenticated attacker can therefore send a query to the SecuRemote Topology service, in order to obtain the name of the firewall.

It can be noted that this information can be seen as public, but it can be used to detect a firewall.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2008-1397

VPN-1: denial of service and information disclosure

Synthesis of the vulnerability

In some cases, an attacker with a SecuRemote (SecureClient, SNX) access can intercept data of a site-to-site VPN.
Impacted products: CheckPoint SecureClient, CheckPoint SecuRemote, VPN-1.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: user account.
Creation date: 18/03/2008.
Identifiers: BID-28299, CVE-2008-1397, sk34579, VIGILANCE-VUL-7677, VU#992585.

Description of the vulnerability

A vulnerability was announced in a special configuration of VPN-1 (simplified):
 - The VPN gateway, named A, allows remote client access.
 - A site-to-site VPN is established between A and another gateway named B. The network of B is for example 192.168.1.0/24.
 - The attacker, named C, has a valid account to connect via SecuRemote (SecureClient, SNX) to A.

Attacker can then change his IP address (192.168.1.10) to one belonging to the network of B. This IP address can be translated (router).

In this case, when a user from the internal network of A tries to connect to 192.168.1.10, it connects to attacker instead of connecting to B network. Moreover, related sessions do not flow between A and B.

An attacker can thus spoof the identity of a B computer in order to obtain information and to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2008-0662

VPN-1 SecuRemote/SecureClient: cached authentication

Synthesis of the vulnerability

Authentication data stored by VPN-1 SecuRemote/SecureClient can be read from the registry.
Impacted products: CheckPoint SecureClient, CheckPoint SecuRemote, VPN-1.
Severity: 2/4.
Consequences: user access/rights.
Provenance: physical access.
Creation date: 07/02/2008.
Identifiers: BID-27675, CVE-2008-0662, sk34315, VIGILANCE-VUL-7557.

Description of the vulnerability

Users of VPN-1 SecuRemote/SecureClient can enable the Auto Local Logon option, which stores authentication credentials in the registry.

However, access permissions to the registry key are "Full control" for "Everyone". All local users can thus read the key.

An attacker, with an access victim's registry, can therefore use his authentication credentials to access to the VPN.
Full Vigil@nce bulletin... (Free trial)

vulnerability 5540

VPN-1: program execution by SecureClient

Synthesis of the vulnerability

An attacker can store a program on system, in order to make it run by SecureClient.
Impacted products: CheckPoint SecureClient, CheckPoint SecuRemote, VPN-1, Kaspersky AV, Windows 2000, Windows NT.
Severity: 1/4.
Consequences: privileged access/rights.
Provenance: user account.
Creation date: 19/01/2006.
Identifiers: TZO-012006, VIGILANCE-VUL-5540.

Description of the vulnerability

The SR_Watchdog.exe program runs the SR_GUI.exe graphical interface using CreateProcess() function:
  C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe

However, this path is not enclosed between quotes. When permissions permit it, an attacker can thus create a program with a short name:
  C:\Program.exe

This program is then run with SR_Watchdog.exe rights.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2005-4505

McAfee VirusScan: program execution by naPrdMgr.exe

Synthesis of the vulnerability

An attacker can store a program on system, in order to make it run by naPrdMgr.exe.
Impacted products: CheckPoint SecureClient, CheckPoint SecuRemote, VPN-1, Kaspersky AV, VirusScan, Windows 2000, Windows NT.
Severity: 1/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 23/12/2005.
Identifiers: BID-16040, CVE-2005-4505, VIGILANCE-VUL-5448.

Description of the vulnerability

The naPrdMgr.exe program periodically runs, with Local System rights:
  C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE

However, this path is not enclosed between quotes. When permissions permit it, an attacker can thus create a program with a short name:
  C:\Program.exe
  C:\Program Files\Network.exe

This program is then run with system rights.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2005-2313

VPN-1 : obtention des logins de SecuRemote et SecureClient

Synthesis of the vulnerability

Les informations de connexion de SecuRemote et SecureClient sont lisibles dans la base de registres.
Impacted products: CheckPoint SecureClient, CheckPoint SecuRemote, VPN-1.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 21/07/2005.
Identifiers: BID-14221, CVE-2005-2313, V6-VPN1SECUREMOTECRED, VIGILANCE-VUL-5088.

Description of the vulnerability

L'utilisateur des clients SecuRemote et SecureClient peut activer la fonctionnalité "Auto Local Logon".

Dans ce cas, le login et le mot de passe sont enregistrés dans la base de registres :
  HKLM/SOFTWARE/Checkpoint/SecureRemote/Credentials/
Les droits d'accès à cette clé ne sont pas correctement sécurisés.

Un attaquant local peut alors les consulter.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2004-0469

Buffer overflow à l'aide de données de ISAKMP

Synthesis of the vulnerability

Durant la négociation d'un tunnel VPN, un attaquant peut envoyer des données ISAKMP illicites dans le but de faire exécuter du code sur la machine.
Impacted products: CheckPoint SecureClient, CheckPoint SecuRemote, VPN-1.
Severity: 4/4.
Consequences: administrator access/rights.
Provenance: internet server.
Creation date: 05/05/2004.
Identifiers: BID-10273, CVE-2004-0469, V6-FW1VPN1ISAKMPBOF, VIGILANCE-VUL-4158.

Description of the vulnerability

Le protocole ISAKMP gère les SA (algorithme, taille de clé, etc.) et les clés nécessaires au fonctionnement d'un VPN.

Le produit Check Point VPN-1 utilise ce protocole pour créer des tunnels IPSec.

Cependant, durant la phase de négociation, un attaquant peut envoyer des données ISAKMP illicites afin de provoquer un buffer overflow. Ce buffer overflow peut être utilisé pour faire exécuter du code. Les détails techniques concernant les données ISAKMP illicites ne sont pas actuellement connus.

Cette vulnérabilité a été corrigée dans les dernières mises à jour. Par exemple :
 - VPN-1/FireWall-1 R55 HFA-03
 - VPN-1/FireWall-1 R54 HFA-410
 - VPN-1/FireWall-1 NG FP3 HFA-325
 - VPN-1 SecuRemote/SecureClient R56

Cette vulnérabilité permet donc à un attaquant distant de faire exécuter du code sur la machine.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2003-0757

Obtention des adresses IP internes

Synthesis of the vulnerability

Un attaquant peut obtenir la liste des adresses IP internes du firewall à l'aide de SecuRemote.
Impacted products: FW-1, CheckPoint SecureClient, CheckPoint SecuRemote.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 03/09/2003.
Revision date: 04/09/2003.
Identifiers: BID-8524, CVE-2003-0757, V6-FW1SECUREMOTEIPINT, VIGILANCE-VUL-3746.

Description of the vulnerability

Le produit SecuRemote permet de se connecter sur Firewall-1 afin d'accéder aux machines internes du réseau.

Lorsqu'un client se connecte sur le port SecuRemote de Firewall-1, le firewall retourne la liste de ses adresses IP. Cependant, cette liste contient les adresses internes, normalement privées.

Cette vulnérabilité permet donc à un attaquant distant d'obtenir des informations sur la topologie du réseau.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 1991

Challenge non complet de SecureClient

Synthesis of the vulnerability

Les sessions d'authentification longues peuvent être acceptées sans que l'échange complet n'ait eu lieu.
Impacted products: FW-1, CheckPoint SecureClient, CheckPoint SecuRemote.
Severity: 1/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Creation date: 08/11/2001.
Identifiers: V6-FW1SECUREREMOTENOAUTH, VIGILANCE-VUL-1991.

Description of the vulnerability

Le programme SecureRemote/SecureClient est utilisé par CheckPoint Firewall-1 afin d'établir une session chiffrée entre les utilisateurs et les différents modules distants.

Le produit SecureID de RSA permet d'authentifier les utilisateurs selon deux critères :
 - un élément connu par l'utilisateur : mot de passe, PIN
 - un élément possédé par l'utilisateur : un boîtier électronique, une carte
Un utilisateur peut changer son PIN, mais cette étape nécessite quelques calculs et n'est donc pas immédiate. Ce produit peut être associé à SecureRemote ou SecureClient.

CheckPoint a annoncé que la deuxième étape des protocoles employant des sessions challenge/réponse trop longues, comme SecureID, pouvaient ne pas être validée. En effet, la deuxième réponse est automatiquement pré-remplie avec le message précédent. Ainsi, un utilisateur peut valider la session en cliquant sur "OK" sans répondre au deuxième message.

Cette lacune d'authentification peut alors permettre de faciliter l'accès à ce compte utilisateur par un attaquant.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.