Check Point response to SecuRemote Topology Service Hostname Disclosure

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk69360
Technical Level
Product	SecuRemote, IPSec VPN
Version	All
Platform / Model	All
Date Created	18-Mar-2012
Last Modified	10-Oct-2018

Symptoms

There is an alleged information disclosure in Security Gateway. Security Gateway and Security Management names can be extracted from the unauthenticated communication with port 264 on Security Gateway.

For original report refer to
- http://www.metasploit.com/modules/auxiliary/gather/checkpoint_hostname
- http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure
This claim is false. The information that was obtained is public. Read further for explanation.

Solution

The claim is: "By sending a pre-authentication topology request to the VPN SecuRemote service, it is possible to obtain the firewall hostname and logging or management station (such as SmartCenter) name."

The SmartCenter and Security Gateway names are part of the gateway certificate that is presented for authentication in many scenarios. The gateway name is in the Subject field of the certificate and the SmartCenter name is in the Issuer field, since Internal CA runs on the SmartCenter. Certificate owner name and CA names are considered public information.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating