Check Point response to security advisory about password hashes in UTM-1 Edge/Edge N appliance
When an administrator exports internal users on UTM-1 Edge, he can see their obscured passwords.
The only users who are allowed to export the UTM-1 Edge configuration are administrators with Read/Write permissions. These administrators have the ability to obtain the obscured passwords of other administrators.
Administrator should keep the exported information protected.
This issue is mitigated by the following factors:
- In most cases, there is only one Read/Write administrator defined on the UTM-1 Edge appliance. Therefore, no information that is not known to that administrator can be disclosed.
- In a managed UTM-1 Edge appliance, the local administrator is usually not used. Instead, the features are remotely managed from the SmartCenter.
- If several Read/Write administrators are needed, one can choose not to define them on the UTM-1 Edge itself, but use RADIUS authentication.
- A user can also choose to add the gateway to a community with user-authentication; in this case as well, the users will not be defined on the UTM-1 Edge, but rather on the SmartCenter.
Credits: Check Point thanks Bill Mathews of Hurricane Labs for responsible disclosure of this issue.