beware. the batman face.
Here is the previous semi-charmed blog.
Bulletin Release 02.06.08
Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability
(Or, How to Be Bill Gates, if Bill Gates uses a CheckPoint VPN Client)
Discovery Date:
December 13, 2007
Vendor Release Date:
February 6, 2008
Severity:
Impersonation of users. What's your VPN protecting?
Checkpoint says.... MEDIUM
Vendor:
Checkpoint
Systems Affected:
VPN-1 SecuRemote/SecureClienetNGX R60 for Windows
VPN-1 SecuRemote/SecureClient NGAI R56 for Windows
Earlier versions may be affected as well
Overview:
Issues with credential storage in the registry allow anyone with read access to
the registry to utilize stored credentials to login and impersonate the user who
stored their credentials.
Technical Details:
Sorry, no sexxy buffer overflow! However, you too can be an authenticated VPN
user!
Checkpoint's VPN client has an option to store credentials. All users have read
access to the registry key where these are stored. A user can export this
registry key, install the software, and configure it to cache credentials. Then,
import the registry and connect. No prompting, and you are now the alternate
user. Bad hacker, bad!
Scenario: A user has enabled the Auto Local Logon option in the client, and
stored their credentials. These credentials are kept in the
registry, under HKLM\Software\Checkpoint\SecuRemote.
Credentials are specifically under the subkey named…. “Credentials”… sneaky!
Permissions for the Checkpoint key are set to Everyone – Full Control.
This means anyone with a local logon to the machine, or any administrator from a
remote machine, if remote registry access is enabled, can view and export this
key. Next step: Install the client on another machine, and
reboot as required. Configure Auto Local Logon, and create a
site, but provide no credentials. Import the key.
You are now the other person. Probably not Bill
Gates, but still, messy.
Fix:
Disable the caching of credentials. Who's a fan of that anyway.
Alternately, see the vendor fix below.
Vendor Status:
Checkpoint has released a bulletin for this issue, at:
http://tinyurl.com/27894d
Good job, Check Point! Thanks for all the follow through, I’d work with you guys
again. Vendor timeline below.
Credit:
MN Vasquez
Greetings:
<3 4 God, nothing else matters. Props to #13 Kurt Warner,
Ron Wolfley & Johnny Long, who "get it". Miss u dad.
BOC 4 lyfe!, ‘sup to Debuc, Mekt, and jhs87. Thanks to the fam, & mom for
everything.
Danielle - I love you!
Ang - I am so proud of you!
&
hey. Can we get “Heroes” back on the air already?
Kthx.
Vendor Timeline
12.13.2007: Vendor notified via support portal
12.13.2007: Vendor escalated to security team
12.14.2007: Vendor requested more detail, detail provided
12.19.2007: Vendor confirmed and scheduled initial fix by 1.23.2008
1.16.2008: Vendor requested delay til ~2.4.2008
2.4.2008: Vendor confirmed release date of 2.5.2008 @ 4:00pm PST
2.5.2008: Vendor released bulletin on website, no customer notification
2.6.2008: Vendor reports they notified customers at 4:00PM PST
Copyright (c) 2008 Mike Vasquez
You can redistribute electronically, but don't edit it in any way without the
express permission of Mike Vasquez. Any reprint of this alert, in whole or in
part in any non-electronic medium must have permission, email mnv at alumni dot
princeton dot edu.
Disclaimer
This alert may change without notice. Use of this info constitutes acceptance
for use AS IS. No warranties are implied or expressed. I'm not liable for direct
or indirect damages arising from the use or distribution of this information.
Use it at your own risk.
