what you don't know can hurt you

Checkpoint Endpoint Security Media Encryption EPM Explorer Bypass

Checkpoint Endpoint Security Media Encryption EPM Explorer Bypass
Posted Nov 14, 2013
Authored by Pedro Andujar

Checkpoint Endpoint Security Media Encryption Explorer version 4.97.2 (Endpoint Security R73) contains two issues which can help to bypass the failed password attempts limit established in the password policy.

tags | advisory, bypass
advisories | CVE-2013-5635, CVE-2013-5636
MD5 | da697a63cf1a11164411d7832782e2b0

Checkpoint Endpoint Security Media Encryption EPM Explorer Bypass

Change Mirror Download

===============================
- Advisory -
===============================

Tittle: Checkpoint Endpoint Security Media Encryption EPM Explorer. Failed password limit bypass.
Risk: Low to Medium
Date: 13.Nov.2013
Author: Pedro Andujar


.: [ INTRO ] :.

Checkpoint Endpoint Security Media Encryption EPM Explorer (Unlock.exe) comes with Endpoint Security
suite and it's used as standalone tool to access the encrypted removable devices content from
non-Media Encryption computers.


.: [ TECHNICAL DESCRIPTION ] :.

Checkpoint Endpoint Security Media Encryption Explorer v4.97.2 (Endpoint Security R73) contains two
issues which can help to bypass the failed password attempts limit established in the password policy.

When accessing an encrypted removable device from a computer without Endpoint Security installed on it,
it should contains the files described below:

DVREM.EPM - Encrypted Portable Media (aka the encrypted volume which contains data)
Unlock.exe - EPM Explorer (software which allows you to decrypt and access the content)

Despite other scenarios offers better performance (like attacking the EPM directly), less skilled attackers
can take advantage of Unlock.exe to attempt to bruteforce the password.


.: [ ISSUE #1 }:.

Name: Multiple Unlock.exe instances
Severity: Low
CVE: CVE-2013-5635
CWE-372: Incomplete Internal State Distinction

If password policy sets a limit of 5 failed password attempts before device is locked, executing n instances
of Unlock.exe at the same time will allow you to get nx5 password attempts (5 for each instance).

Some controls should be applied to prevent multiple EPM explorers being concurrently executed, or at least
synchronization regarding the state of failed password attempts.



.: [ ISSUE #2 }:.

Name: Device link not enforced
Severity: Low
CVE: CVE-2013-5636
CWE-285: Improper Authorization

Unlock.exe contains some restrictions that forces you to store the EPM file in the top of the directory tree,
just after a unit letter and coloms (Ex: X:\DVREM.EPM), so it cannot be inside a folder. But this is not enough
and still can be extracted from the removable media and be stored in a different drive.

Allowing Unlock.exe to be executed and access EPM stored on a different device/drive, increase the window
of time for attackers which can try to access the information without having the originally encrypted device on
their hands.

Additionally everytime the EPM is overwrited by a freshcopy of itself, the failed password attempts is reseted,
allowing you to try another 5 times, so you can perform infinite attempts.

This charasteristic open some social engineering attack scenarios, like copying the EPM and Unlock.exe before
returning a lent device to it's originall owner or just taking it for few seconds when owner is not paying atention.

Ideally EPM file should be associated to the device ID at its creation time, and EPM explorer should check
the device ID (or other unique device identifier) to prevent it opening the EPM in a different location.



.: [ CHANGELOG ] :.

* 16/Dec/2012: - Issue found
* 25/Aug/2013: - Vendor contacted
* 26/Aug/2013: - Vendor Ack
* 11/Nov/2013: - Vendor finished the Fix for Issue #1
- Issue #2 considered not fixeable
* 14/Nov/2013: - Public Disclosure



.: [ SOLUTIONS ] :.

Check Point offers an improved client for this issue.

Solution ID: sk96589
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk96589



.: [ REFERENCES ] :.

[+] Check Point EndPoint Security R73
http://downloads.checkpoint.com/dc/download.htm?ID=10580

[+] Checkpoint Security Alerts
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsecurityalerts

[+] !dSR - Digital Security Research
http://www.digitalsec.net/






-=EOF=-

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    3 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    11 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close