Full Disclosure mailing list archives
Buffer Overflow in ISAKMP-Process at Checkpoint VPN-1 (the VPN component commonly deployed on Checkpoint Firewall-1 installations)
From: Olaf Hahn <olaf.hahn () qsc de>
Date: Thu, 05 Feb 2004 11:58:08 +0100
Advisories Internet Security Systems Security Advisory February 4, 2004 Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow Synopsis: ISS X-Force has discovered a flaw in the ISAKMP processing for both the Checkpoint VPN-1 server and Checkpoint VPN clients (Securemote/ SecureClient). These products collaborate to provide VPN access to corporate networks for remote client computers. VPN-1 is the VPN component commonly deployed on Checkpoint Firewall-1 installations. The IKE component of these products allows for the unidirectional or bidirectional authentication of two remote nodes as well as the negotiation of cryptographic capabilities and keys. A buffer overflow vulnerabilityexists when attempting to handle large certificate payloads.
Impact: A remote attacker may exploit this flaw to remotely compromise any VPN-1 server and/or client system running SecureClient/SecureClient. X-Force has developed functional exploit code for this vulnerability and has demonstrated successful attacks using real-world scenarios. Successful compromise of the VPN-1 server can lead directly to complete compromise of the entire Checkpoint Firewall-1 server. Remote attackers can leverage this attack to successfully compromise heavily hardened networks by modifying or tampering with the firewall rules and configuration. Attackers will be able to run commands under the security context of the super-user, usually "SYSTEM", or "root". Any properly configured Firewall-1 among the affected versions with VPN support is vulnerable to this attack by default. In addition, affected versions of VPN-1 SecureRemote / SecureClient are vulnerable to complete remote compromise, expanding exposure to remote VPN clients. Affected Versions: Checkpoint VPN-1 Server 4.1 up to and including SP6 with OpenSSL Hotfix Checkpoint SecuRemote/SecureClient 4.1 up to and including build 4200 Description: Internet Key Exchange (IKE) is used to negotiate and exchange keys for encrypted transport or tunneling of network traffic over a Virtual Private Network (VPN). The network protocol used to facilitate this exchange is the Internet Security Association and Key Management Protocol (ISAKMP). The affected versions of Checkpoint’s VPN implementation contain a critical flaw which may expose protected network segments to remote attack. A vulnerability exists when handling ISAKMP packets with large Certificate Request payloads. This can be triggered by a remote unauthenticated attacker during the initial phases of an IKE negotiation. It is not necessary to impersonate a known VPN server to exploit client systems, and VPN servers are equally vulnerable. As this attack does not require any interaction with the target system, it can be performed via UDP with a spoofed source address concealing the identity of an attacker. The vulnerability exists in code intended to process certificate requests received from a remote host. Adequate bounds-checking is not performed and a simple stack overflow can be triggered. It is believed to be trivial to leverage this vulnerability to achieve reliable remote code execution. Recommendations: For immediate vulnerability remediation, Internet Security Systems will provide the following protection updates for its Proventia networkprotection products.
Proventia M Series 1.7: ISAKMP_Certificate_Request_Overflow_ -(http://xforce.iss.net/xforce/xfdb/14150)
Proventia G Series 22.9: ISAKMP_Certificate_Request_Overflow_ -(http://xforce.iss.net/xforce/xfdb/14150)
Proventia A Series 22.9: ISAKMP_Certificate_Request_Overflow_ -(http://xforce.iss.net/xforce/xfdb/14150)
RealSecure Network 22.9: ISAKMP_Certificate_Request_Overflow -(http://xforce.iss.net/xforce/xfdb/14150)
All updates listed above will be available from the ISS Download center shortly: http://www.iss.net/download There is no effective workaround for this vulnerability. Upgrading to the NG versions of VPN-1 Server and SecureRemote/Client will remove thisvulnerability.
Checkpoint no longer supports the versions of VPN-1 and SecureRemote/ SecureClient affected by this vulnerability. Checkpoint recommends that all affected users upgrade to Firewall-1 NG FP1 or greater. Vendor Notification Schedule: Vendor notified – 2/2/2004 Checkpoint patch developed and made available – 2/4/2004 ISS X-Force Advisory released – 2/4/2004 ISS X-Force published this Security Advisory in coordination with the affected vendor in accordance to our published Vulnerability Disclosure Guidelines, available at the following address: http://documents.iss.net/literature/vulnerability_guidelines.pdf Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0040 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credit: This vulnerability was discovered and researched by Mark Dowd and Neel Mehta of the ISS X-Force. ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2004 Internet Security Systems, Inc. All rights reserved worldwide. This document is not to be edited or altered in any way without the express written consent of Internet Security Systems, Inc. If you wish to reprint the whole or any part of this document, please email xforce () iss net <mailto:xforce () iss net>for permission. You may provide links to this document from your web site, and you may make copies of this document inaccordance with the fair use doctrine of the U.S. copyright laws.
Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Forcexforce () iss net <mailto:xforce () iss net>of Internet Security Systems, Inc.
--Mit freundlichen Grüssen Olaf Hahn Datennetzdienste/Security QSC AG Mathias-Brüggen-Str. 55 50829 Köln Phone: +49 221 6698-443 Fax: +49 221 6698-409 E-Mail: olaf.hahn () qsc de
Internet: http://www.qsc.de ************************************Paranoid zu sein heisst nicht, dass nicht doch jemand hinter einem steht
************************************ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Buffer Overflow in ISAKMP-Process at Checkpoint VPN-1 (the VPN component commonly deployed on Checkpoint Firewall-1 installations) Olaf Hahn (Feb 05)
