CVE-2008-0662 in Vpn-1 Secureclient
Summary
by MITRE
The Auto Local Logon feature in Check Point VPN-1 SecuRemote/SecureClient NGX R60 and R56 for Windows caches credentials under the Checkpoint\SecuRemote registry key, which has Everyone/Full Control permissions, which allows local users to gain privileges by reading and reusing the credentials.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/04/2019
The vulnerability identified as CVE-2008-0662 resides within the Check Point VPN-1 SecuRemote/SecureClient NGX versions R60 and R56 for Windows operating systems, specifically affecting the Auto Local Logon functionality. This feature, designed to streamline user authentication processes by automatically logging users into the VPN client, introduces a critical security flaw through its improper handling of credential storage. The vulnerability stems from the application's failure to implement adequate access controls when storing authentication credentials in the Windows registry, creating an exploitable condition that undermines the fundamental security principles of credential protection.
The technical implementation of this vulnerability involves the storage of sensitive authentication information within the Windows registry under the specific path Checkpoint\SecuRemote, where the registry key is configured with overly permissive permissions. This misconfiguration grants the Everyone group full control access rights to the registry key, effectively allowing any local user account on the system to read, modify, and execute operations against the stored credentials. The flaw represents a classic example of insecure credential storage practices, where sensitive data is not adequately protected through proper access control mechanisms, thereby violating the principle of least privilege that should govern all security-sensitive system components.
The operational impact of this vulnerability extends beyond simple credential exposure, as it provides local attackers with the means to escalate their privileges within the system. Once an attacker gains access to the cached credentials, they can leverage these stored authentication details to establish unauthorized VPN connections, potentially gaining access to corporate networks and sensitive resources that would otherwise require legitimate authentication. This scenario creates a pathway for privilege escalation attacks, where local users can effectively bypass the normal authentication mechanisms and assume the identity of authorized users within the network infrastructure. The vulnerability is particularly concerning because it operates at the local system level, meaning that any user with local access to the machine can exploit this weakness without requiring network-based attacks or additional authentication vectors.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-312 (Cleartext Storage of Sensitive Information) and CWE-284 (Improper Access Control), demonstrating how inadequate access control measures combined with insecure data storage practices create exploitable conditions. The vulnerability also maps to several ATT&CK techniques including T1566 (Phishing for Information) and T1078 (Valid Accounts) where attackers can leverage stolen credentials to maintain persistent access to target systems. Organizations implementing Check Point VPN-1 SecuRemote/SecureClient NGX R60 and R56 should immediately implement mitigations including restricting registry permissions for the Checkpoint\SecuRemote key, disabling the Auto Local Logon feature, and implementing proper credential management policies. Additionally, system administrators should conduct regular audits of registry permissions and consider implementing additional security controls such as mandatory access controls and privilege monitoring to detect unauthorized credential access attempts. The vulnerability highlights the critical importance of proper access control implementation and secure credential storage practices in enterprise security solutions, as even well-intentioned features can introduce significant security risks when not properly secured against local privilege escalation attacks.