A simple case of useful error messages in the Checkpoint VPN-1 client could betray information that can be used by a hacker, security experts have warned.
In a notice explaining the problem Securiteam, which discovered the glitch, said: "During an authentication attempt in the VPN-1 SecuRemote Authentication dialog box, a failed login due to an incorrect username or password will result in different responses, depending on the nature of the failure.
"If the username is valid and the password is incorrect, SecuRemote will return a dialog box with the message 'Access denied by FireWall-1 authentication'. However, if the username is invalid, SecuRemote will return a dialog box with the message 'User not found'."
Although this is not technically a security hole "it does allow someone to determine valid firewall usernames using brute force techniques", the experts warned.
What appears to be a more worrying problem is that the error messages will also identify which authentication method the user has.
Specifying a username without a password then will re-display the authentication window but with a different password prompt such as 'FireWall-1 Password:' or 'PASSCODE:' also giving a potential attacker useful information.
Securiteam said that one workaround would be to create a user called 'generic*' which matches any username and helps obscure the real users.
Security group @stake said that, although this is another good example of why generic error messages for authentication mechanisms can help, there are always two sides to any argument, even when user experience is the business driver.
The advisory is posted here.
Connexin drops out of Ofcom auction due to start next week
SwiftKey users now send two billion emoji every week
Recruitment plans are 'most ambitious ever', claims Openreach HR director Kevin Brady
Samsung's under-the-hood improvements separate the S9 from the pack when it comes to the display