ISS Security Brief: Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow

From: X-Force (xforce_at_iss.net)
Date: 02/05/04

  • Next message: X-Force: "ISS Security Alert Summary AS04-06" 
    To: alert@iss.net
Date: Wed, 4 Feb 2004 20:02:25 -0500 (EST)

    -----BEGIN PGP SIGNED MESSAGE-----

    Internet Security Systems Security Brief
    February 4, 2004

    Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow
     
    Synopsis:

    ISS X-Force has discovered a flaw in the ISAKMP processing for both the
    Checkpoint VPN-1 server and Checkpoint VPN clients (Securemote/
    SecureClient). These products collaborate to provide VPN access to
    corporate networks for remote client computers. VPN-1 is the VPN component
    commonly deployed on Checkpoint Firewall-1 installations. The IKE
    component of these products allows for the unidirectional or bidirectional
    authentication of two remote nodes as well as the negotiation of
    cryptographic capabilities and keys. A buffer overflow vulnerability
    exists when attempting to handle large certificate payloads.

    Impact:

    A remote attacker may exploit this flaw to remotely compromise any VPN-1
    server and/or client system running SecureClient/SecureClient. X-Force has
    developed functional exploit code for this vulnerability and has
    demonstrated successful attacks using real-world scenarios. Successful
    compromise of the VPN-1 server can lead directly to complete compromise of
    the entire Checkpoint Firewall-1 server.

    Remote attackers can leverage this attack to successfully compromise
    heavily hardened networks by modifying or tampering with the firewall
    rules and configuration. Attackers will be able to run commands under the
    security context of the super-user, usually "SYSTEM", or "root". Any
    properly configured Firewall-1 among the affected versions with VPN
    support is vulnerable to this attack by default.

    In addition, affected versions of VPN-1 SecureRemote / SecureClient are
    vulnerable to complete remote compromise, expanding exposure to remote
    VPN clients.

    Affected Versions:

    Checkpoint VPN-1 Server 4.1 up to and including SP6 with OpenSSL Hotfix
    Checkpoint SecuRemote/SecureClient 4.1 up to and including build 4200

    For the complete ISS X-Force Security Advisory, please visit:
    http://xforce.iss.net/xforce/alerts/id/163

    ______

    About Internet Security Systems (ISS)
    Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
    pioneer and world leader in software and services that protect critical
    online resources from an ever-changing spectrum of threats and misuse.
    Internet Security Systems is headquartered in Atlanta, GA, with
    additional operations throughout the Americas, Asia, Australia, Europe
    and the Middle East.

    Copyright (c) 2004 Internet Security Systems, Inc. All rights reserved
    worldwide.

    Permission is hereby granted for the electronic redistribution of this
    document. It is not to be edited or altered in any way without the
    express written consent of the Internet Security Systems X-Force. If you
    wish to reprint the whole or any part of this document in any other
    medium excluding electronic media, please email xforce@iss.net for
    permission.

    Disclaimer: The information within this paper may change without notice.
    Use of this information constitutes acceptance for use in an AS IS
    condition. There are NO warranties, implied or otherwise, with regard to
    this information or its use. Any use of this information is at the
    user's risk. In no event shall the author/distributor (Internet Security
    Systems X-Force) be held liable for any damages whatsoever arising out
    of or in connection with the use or spread of this information.
    X-Force PGP Key available on MIT's PGP key server and PGP.com's key server,
    as well as at http://www.iss.net/security_center/sensitive.php
    Please send suggestions, updates, and comments to: X-Force
    xforce@iss.net of Internet Security Systems, Inc.

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.2

    iQCVAwUBQCGV4DRfJiV99eG9AQFOCgP+I6DMjf+aKGOClIMHEjt0AbJeIpZBep19
    YqWb8RQQlb+8t4pMrHICOqzf8pAn81ClrPMAu4Yi7NPTegfshnXZ8WZUvwoowyBx
    dnMRbLanPFKl5zQUSEGbuIP4BBglMINrQOMGgR/kC6FHY8EfahRihYRmXzVpz5oy
    OyVeANkYM90=
    =90Od
    -----END PGP SIGNATURE-----

  • Next message: X-Force: "ISS Security Alert Summary AS04-06"