[NT] Sygate Secure Enterprise Replay Attack

From: SecuriTeam (support_at_securiteam.com)
Date: 08/11/04

  • Next message: SecuriTeam: "[UNIX] Moodle Cross Site Scripting Vulnerability (post.php)" 
    To: list@securiteam.com
Date: 11 Aug 2004 17:37:37 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Sygate Secure Enterprise Replay Attack
    ------------------------------------------------------------------------

    SUMMARY

    The <http://www.sygate.com/products/enterprise_policy_management.htm>
    Sygate Secure Enterprise (SSE) provides "the necessary features required
    to scale policy management across the world's largest enterprises, driving
    individual and appropriate policies for up to hundreds of thousands of
    users". Part of this functionality is providing centralized logging
    functionality to both the Sygate Enforcer and Sygate Security Agent (SSA)
    products.

    In practice, the SSE uses HTTP to communicate with the SSA clients. These
    exchanges do not implement any form of replay protection, so an attacker
    can simply send repeated requests until all the resources on the host are
    exhausted.

    DETAILS

    Vulnerable Systems:
     * Sygate Secure Enterprise versions prior to 3.5MR3

    The SSE product communicates with valid SSA clients via the HTTP protocol.
    These exchanges include a number of fields that are encrypted using a
    static key (that is common across all SSA clients). Some of these fields
    uniquely identify the SSA client instance, and others contain the actual
    data payload, such as log entries for centralized storage, or
    authentication sequences.

    As the key used to encrypt the data never changes, and the fields include
    no replay protection, all an attacker need do is to capture a valid
    protocol session, then replay it against the server repeatedly until the
    server exhausts all its resources.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0163>
    CAN-2004-0163

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:martin.oneal@corsaire.com>
    Martin O'Neal.
    The original article can be found at:
    <http://www.corsaire.com/advisories/c031120-002.txt>
    http://www.corsaire.com/advisories/c031120-002.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Moodle Cross Site Scripting Vulnerability (post.php)"