A simple case of useful error messages in the Checkpoint VPN-1 client could betray information that can be used by a hacker, security experts have warned.
In a notice explaining the problem Securiteam, which discovered the glitch, said: "During an authentication attempt in the VPN-1 SecuRemote Authentication dialog box, a failed login due to an incorrect username or password will result in different responses, depending on the nature of the failure.
"If the username is valid and the password is incorrect, SecuRemote will return a dialog box with the message 'Access denied by FireWall-1 authentication'. However, if the username is invalid, SecuRemote will return a dialog box with the message 'User not found'."
Although this is not technically a security hole "it does allow someone to determine valid firewall usernames using brute force techniques", the experts warned.
What appears to be a more worrying problem is that the error messages will also identify which authentication method the user has.
Specifying a username without a password then will re-display the authentication window but with a different password prompt such as 'FireWall-1 Password:' or 'PASSCODE:' also giving a potential attacker useful information.
Securiteam said that one workaround would be to create a user called 'generic*' which matches any username and helps obscure the real users.
Security group @stake said that, although this is another good example of why generic error messages for authentication mechanisms can help, there are always two sides to any argument, even when user experience is the business driver.
The advisory is posted here.
Comcast's £29.7bn winning bid more than twice the £13.7bn Rupert Murdoch valued Sky at just eight years ago
A nuclear strike has been considered, but Bruce Willis is nowhere in sight
Spray-on antenna could enable seamless integration of antennas with everyday objects
Parker Solar Probe, TESS and GOLD missions will deliver exciting data, claims NASA