CheckPoint Firewall SecuRemote Hostname Information Disclosure

CheckPoint Firewall SecuRemote Hostname Information Disclosure

Release Date: 12-Mar-2012

Software: CheckPoint Firewall / VPN-1 / http://www.checkpoint.com/

Versions testé:NGX R65, R71. Other versions untested but likely affected.

Vulnerability discovered: By sending a pre-authentication topology request to the VPN SecuRemote service, it is possible to obtain the firewall hostname name and logging or management station (such as SmartCenter) name.

Vulnerability impact: Low – Information disclosure potentially reveals the client naming scheme and the firewall management station hostname. Allows for specifically targeting attacks towards the enterprise firewall management server.

Vulnerability information: By sending a certain query to the port 264/TCP on CheckPoint Firewall-1, the hostname is revealed. A Metasploit module is available to test for this vulnerability.

Example:

msf auxiliary(checkpoint_hostname) > set RHOST A.B.C.D
msf auxiliary(checkpoint_hostname) > run

[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service…
[+] Appears to be a CheckPoint Firewall…
[+] Firewall Host: CPSYDFW1
[+] SmartCenter Host: CPSYDMGMTSVR
[*] Auxiliary module execution completed

Recommendation: None at this time. Consider a different VPN headend.

Credit: This vulnerability was disclosed by Patrick Webster.

Exploit: A metasploit module is available here:

http://www.metasploit.com/modules/auxiliary/gather/checkpoint_hostname

Disclosure timeline:
14-Dec-2011 – Discovered during audit.
21-Dec-2011 – Added auxiliary module to the Metasploit Framework.
23-Dec-2011 – Notified vendor. No response.
12-Mar-2012 – Disclosure.