Support Center > Search Results > SecureKnowledge Details
Authenticating to SMB appliances using only the first 8 characters of the Administrator password is allowed
Symptoms
  • Administrators who set their password while firmware R77.20.85, R77.20.86 or R77.20.87 (< Build 990172921) were installed, may authenticate to the SMB appliance using only the first 8 characters.

    For example, if the configured password is above 8 characters, then it is possible to access the appliance with the configured password as expected, but also with only the first 8 characters.

Cause

Administrator passwords which were created or changed while using R77.20.85 and later versions (mentioned earlier) are enforced with a weaker password hash algorithm than previous versions.

To upgrade password hash complexity, refer to the solution of this sk.


Solution

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (Check Point 700 appliance / Check Point 910 appliance / Check Point 1400 appliance).

 

Once upgrading, the configured passwords still remain with the weaker hash algorithm.

Therefore, it is required to change all the Administrators's passwords or re-create the Administrator users.

The following script can be executed in Expert mode in order to detect Administrator users with the weaker password hash:

#!/bin/bash
while read p; do
user="$(echo $p | cut -d ":" -f 1)"
user_hash="$(echo $p | cut -d ":" -f 2)"
if [[ $user_hash == *"*"* || $user_hash == *"!"* || $user_hash == *"$"* ]]; then
continue
fi
echo $user
done < /etc/shadow

 

How to use the script:

  1. Copy the script to a notepad file and name it as you like, in our example it would be "admin_check".
  2. Change the extension of the notepad file to .sh
  3. Copy the admin_check.sh file to /storage directory.
  4. Go to /storage directory, by executing the command "cd /storage" in Expert mode.
  5. Give the script execute privileges, by executing the command "chmod 700 admin_check.sh" in Expert mode.
  6. Convert the file to UNIX format, by executing the command "dos2unix admin_check.sh" in Expert mode.
  7. Run the script, by executing the command "admin_check.sh"
  8. The affected users will be printed to the screen.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment