[NEWS] Check Point VPN-1 ASN.1 Decoding Remote Compromise
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 4 Aug 2004 00:45:05 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Check Point VPN-1 ASN.1 Decoding Remote Compromise
<http://www.checkpoint.com/products/vpn-1_pro/index.html> VPN-1 Pro is
"an integrated VPN-1 and FireWall-1 gateway, offers management capability,
attack protection and traffic shaping technology. VPN-1 Pro utilizes
INSPECT, the industry''s most adaptive and intelligent inspection
technology, to protect the privacy of business communications over the
Internet while securing critical network resources against unauthorized
When establishing an encrypted connection to a virtual private network
(VPN), it is possible for an attacker to trigger a buffer overflow
vulnerability in an ASN.1 decoding library.
* VPN-1/FireWall-1 NG with Application Intelligence R54
* VPN-1/FireWall-1 NG with Application Intelligence R55
* VPN-1/FireWall-1 NG with Application Intelligence R55W
* VPN-1/FireWall-1 Next Generation FP3
* VPN-1/FireWall-1 VSX FireWall-1 GX
* VPN-1 SecuRemote/SecureClient All Versions
Internet Key Exchange (IKE) is used to negotiate and exchange keys for
encrypted transport or tunneling of network traffic over a Virtual Private
Network (VPN). The network protocol used to facilitate this exchange is
the Internet Security Association and Key Management Protocol (ISAKMP).
Various protocol fields within ISAKMP are ASN.1 encoded and the VPN-1
server will decode these fields as part of the initial encrypted
connection setup. When performing this decoding, it is possible for an
attacker to trigger an arbitrary-length heap overflow which may result in
complete compromise of the VPN-1 server.
This vulnerability can be triggered by an unauthenticated remote attacker
through a single-packet attack. If UDP-based IKE negotiation is enabled,
it may be possible for attackers to conceal the source of attacks and
perform a blind-spoofed attack.
Compromise of VPN-1 networks may lead to exposure of confidential
information, loss of productivity, and further network compromise.
Successful exploitation of this vulnerability could be used to gain
unauthorized access to networks being protected by Check Point's VPN-1
product. No authentication would be required for an attacker to leverage
this vulnerability to compromise a VPN, and operational VPN-1
installations will likely be vulnerable in their default configurations.
Vendor-supplied patches for the issue described in this advisory are
available from: <http://www.checkpoint.com/techsupport/alerts/asn1.html>
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.