checkpoint-fw1.vuln.txt

`There are two vulnerabilities in FW-1. The first is an authentication  
issue, the other is a configuration issue. Since I don't have a copy  
of 4.x FW-1 handy maybe someone can check it for me.  
  
#1  
The basic authentication used in Checkpoint FW-1 used for  
inside/outbound and outside/inbound allows unlimited attempts to  
authenticate without a timeout or disconnect between unsuccessful  
attempts. To make matters worse, the attempt at authentication will let  
you know if you have the wrong username before you are allowed to enter  
in the passsword.  
  
The exploit is trivial, grind away at user names until you hit one that  
works and then grind away at passwords with the username you just found  
until you find one that works.  
  
For an example of this, set authentication on the FW-1 software to  
authenticate telnet connections. Telent to a destination past the  
firewall, when prompted for a username, pound away. A script could  
crack the authentication in a very short time.  
  
The workaround is to use Checkpoint's encrypted authentication program  
"SecuRemote" and not allow clear text authentication (browser based,  
telnet, etc.) to destinations beyond the firewall.  
  
#2  
The default configuration in FW-1 allows for rlogin management of the  
server. The rlogin prompt is avaialable on all NICs. Unless a rule is  
placed in your ruleset to drop or reject all connections to the  
firewall, the authentication problem above can be used to remotely  
administer someone elses firewall without them knowing.  
  
The workaround is to include the rule.  
  
`