[NEWS] Check Point VPN-1 ASN.1 Decoding Remote Compromise

From: SecuriTeam (support_at_securiteam.com)
Date: 08/04/04

  • Next message: SecuriTeam: "[NT] Cumulative Security Update for Internet Explorer (MS04-025)" 
    To: list@securiteam.com
Date: 4 Aug 2004 00:45:05 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Check Point VPN-1 ASN.1 Decoding Remote Compromise
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.checkpoint.com/products/vpn-1_pro/index.html> VPN-1 Pro is
    "an integrated VPN-1 and FireWall-1 gateway, offers management capability,
    attack protection and traffic shaping technology. VPN-1 Pro utilizes
    INSPECT, the industry''s most adaptive and intelligent inspection
    technology, to protect the privacy of business communications over the
    Internet while securing critical network resources against unauthorized
    access."

    When establishing an encrypted connection to a virtual private network
    (VPN), it is possible for an attacker to trigger a buffer overflow
    vulnerability in an ASN.1 decoding library.

    DETAILS

    Vulnerable Systems:
     * VPN-1/FireWall-1 NG with Application Intelligence R54
     * VPN-1/FireWall-1 NG with Application Intelligence R55
     * VPN-1/FireWall-1 NG with Application Intelligence R55W
     * VPN-1/FireWall-1 Next Generation FP3
     * VPN-1/FireWall-1 VSX FireWall-1 GX
     * VPN-1 SecuRemote/SecureClient All Versions

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0699>
    CAN-2004-0699

    Internet Key Exchange (IKE) is used to negotiate and exchange keys for
    encrypted transport or tunneling of network traffic over a Virtual Private
    Network (VPN). The network protocol used to facilitate this exchange is
    the Internet Security Association and Key Management Protocol (ISAKMP).

    Various protocol fields within ISAKMP are ASN.1 encoded and the VPN-1
    server will decode these fields as part of the initial encrypted
    connection setup. When performing this decoding, it is possible for an
    attacker to trigger an arbitrary-length heap overflow which may result in
    complete compromise of the VPN-1 server.

    This vulnerability can be triggered by an unauthenticated remote attacker
    through a single-packet attack. If UDP-based IKE negotiation is enabled,
    it may be possible for attackers to conceal the source of attacks and
    perform a blind-spoofed attack.

    Impact:
    Compromise of VPN-1 networks may lead to exposure of confidential
    information, loss of productivity, and further network compromise.
    Successful exploitation of this vulnerability could be used to gain
    unauthorized access to networks being protected by Check Point's VPN-1
    product. No authentication would be required for an attacker to leverage
    this vulnerability to compromise a VPN, and operational VPN-1
    installations will likely be vulnerable in their default configurations.

    Patch Availability:
    Vendor-supplied patches for the issue described in this advisory are
    available from: <http://www.checkpoint.com/techsupport/alerts/asn1.html>
    http://www.checkpoint.com/techsupport/alerts/asn1.html.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://xforce.iss.net/xforce/alerts/id/178>
    http://xforce.iss.net/xforce/alerts/id/178

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Cumulative Security Update for Internet Explorer (MS04-025)"

    Relevant Pages

    • [NEWS] Ethereal SIP Dissector Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Ethereal is "a popular open source network sniffer. ... To exploit this vulnerability an attacker does not need to know the ... commands on a system running the sniffer with the privileges of the user ...
      (Securiteam)
    • [UNIX] phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program, VERSION, charset)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have been discovered in phpSysInfo allowing ... the attacker to additionally inject the $lng parameter. ... $sensor_program can *still* be used to inject active ...
      (Securiteam)
    • [NT] Directory Traversal In CProxy
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... directory traversal attack and thus gain access to arbitrary files located ... on the CProxy Server system. ... filtering allows a remote attacker to gain attack to arbitrary files on ...
      (Securiteam)
    • [UNIX] KDE URI handler vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A bug in KDE can be used by an attacker to create or truncate arbitrary ... The KDE URI handler does not perform adequate filtering ...
      (Securiteam)
    • [NT] PicoWebServer Unicode Stack Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow vulnerability has been discovered in PicoWebServer, ... exploiting this vulnerability allows a remote attacker to run arbitrary ... an attacker can trigger a stack overflow and cause the ...
      (Securiteam)