[VulnWatch] Corsaire Security Advisory - Sygate Secure Enterprise replay issue

From: advisories (advisories_at_corsaire.com)
Date: 08/10/04

  • Next message: advisories: "[VulnWatch] Corsaire Security Advisory - Sygate Enforcer unauthenticated broadcast issue" 
    To: <vulnwatch@vulnwatch.org>
Date: Tue, 10 Aug 2004 17:36:07 +0100

    -- Corsaire Security Advisory --

    Title: Sygate Secure Enterprise replay issue
    Date: 20.11.03
    Application: Sygate Secure Enterprise prior to 3.5MR3
    Environment: Windows NT, 2000, 2003
    Author: Martin O'Neal [martin.oneal@corsaire.com]
    Audience: General distribution
    Reference: c031120-002

    -- Scope --

    The aim of this document is to clearly define an issue that exists with
    the Sygate Secure Enterprise (SSE) product [1] that will allow a remote
    attacker to exhaust resources on the server, potentially provoking a DoS
    condition.

    -- History --

    Discovered: 20.11.03 (Martin O'Neal)
    Vendor notified: 14.01.04
    Document released: 10.8.04

    -- Overview --

    The Sygate Secure Enterprise (SSE) [2] provides "the necessary features
    required to scale policy management across the world's largest
    enterprises, driving individual and appropriate policies for up to
    hundreds of thousands of users". Part of this functionality is providing
    centralised logging functionality to both the Sygate Enforcer and Sygate
    Security Agent (SSA) products.

    In practise, the SSE uses HTTP to communicate with the SSA clients.
    These exchanges do not implement any form of replay protection, so an
    attacker can simply send repeated requests until all the resources on
    the host are exhausted.

    -- Analysis --

    The SSE product communicates with valid SSA clients via the HTTP
    protocol. These exchanges include a number of fields that are encrypted
    using a static key (that is common across all SSA clients). Some of
    these fields uniquely identify the SSA client instance, and others
    contain the actual data payload, such as log entries for centralised
    storage, or authentication sequences.

    As the key used to encrypt the data never changes, and the fields
    include no replay protection, all an attacker need do is to capture a
    valid protocol session, then replay it against the server repeatedly
    until the server exhausts all its resources.

    -- Recommendations --

    The SSE product should be upgraded to a version that is not susceptible
    to this issue.

    -- Background --

    This issue was discovered using a custom protocol analysis tool
    developed by Corsaire's security assessment team. This tool is not
    available publicly, but is an example of the specialist approach used by
    Corsaire's consultants as part of a commercial security assessment. To
    find out more about the cutting edge services provided by Corsaire
    simply visit our web site at http://www.corsaire.com

    -- CVE --

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the name CAN-2004-0163 to this issue. This is a candidate for
    inclusion in the CVE list (http://cve.mitre.org), which standardises
    names for security problems.

    -- References --

    [1] http://www.sygate.com
    [2] http://www.sygate.com/products/enterprise_policy_management.htm

    -- Revision --

    a. Initial release.
    b. Corrected grammatical errors.
    c. Minor revisions.

    -- Distribution --

    This security advisory may be freely distributed, provided that it
    remains unaltered and in its original form.

    -- Disclaimer --

    The information contained within this advisory is supplied "as-is" with
    no warranties or guarantees of fitness of use or otherwise. Corsaire
    accepts no responsibility for any damage caused by the use or misuse of
    this information.

    -- About Corsaire --

    Corsaire are a leading information security consultancy, founded in 1997
    in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
    analytical rigour to every job, which means fast and dramatic security
    performance improvements. Our services centre on the delivery of
    information security planning, assessment, implementation, management
    and vulnerability research.

    A free guide to selecting a security assessment supplier is available at
    http://www.penetration-testing.com

    Copyright 2004 Corsaire Limited. All rights reserved.

  • Next message: advisories: "[VulnWatch] Corsaire Security Advisory - Sygate Enforcer unauthenticated broadcast issue"

    Relevant Pages

    • [Full-Disclosure] Corsaire Security Advisory - Sygate Secure Enterprise replay issue
      ... Sygate Secure Enterprise replay issue ... Sygate Secure Enterprise prior to 3.5MR3 ... Security Agent products. ... find out more about the cutting edge services provided by Corsaire ...
      (Full-Disclosure)
    • Corsaire Security Advisory - Sygate Secure Enterprise replay issue
      ... Sygate Secure Enterprise replay issue ... Sygate Secure Enterprise prior to 3.5MR3 ... Security Agent products. ... find out more about the cutting edge services provided by Corsaire ...
      (Bugtraq)
    • IRM 011: Sygate,Security Agent (Sygate Secure Enterprise) Fail Open DoS
      ... Sygate Security Agent (Sygate Secure Enterprise) Denial of Service ... rule-based security policy and controls application usage. ...
      (Bugtraq)
    • Re: [R] Celtic-Milan
      ... Is it normal for a 0-3 to be awarded because of lack of security? ... I remember a CWC vs. Rapid Wien in 1980s that had to be replayed on neutral ground because a Rapid player was alleged to have been hit by a coin. ... Celtic had won the original game but failed to progress after the replay. ...
      (rec.sport.soccer)
    • Re: /lib/ld-2.2.4.so
      ... >> this hole in my security give me a replay. ... > Unix file permission bits aren't really orthogonal, ... > playing with the r and x bits accomplishes nothing in terms of security. ...
      (Vuln-Dev)