[VulnWatch] Corsaire Security Advisory - Sygate Enforcer unauthenticated broadcast issue

From: advisories (advisories_at_corsaire.com)
Date: 08/10/04

  • Next message: Pentest Security Advisories: "[VulnWatch] ptl-2004-03: WIDCOMM Bluetooth Connectivity Software Buffer Overflows"
    To: <vulnwatch@vulnwatch.org>
    Date: Tue, 10 Aug 2004 17:41:34 +0100

    -- Corsaire Security Advisory --

    Title: Sygate Enforcer unauthenticated broadcast issue
    Date: 20.11.03
    Application: Sygate Enforcer prior to 3.5MR1
    Environment: Windows NT, 2000, 2003
    Author: Martin O'Neal [martin.oneal@corsaire.com]
    Audience: General distribution
    Reference: c031120-003

    -- Scope --

    The aim of this document is to clearly define an issue that exists with
    the Sygate Enforcer product [1] that will allow a remote attacker to
    pass broadcast traffic through the Enforcer prior to authentication.

    -- History --

    Discovered: 20.11.03 (Martin O'Neal)
    Vendor notified: 14.01.04
    Document released: 10.8.04

    -- Overview --

    Sygate Enforcers are described as [2] "network gateway devices that
    enforce host integrity at network access points". Architecturally they
    function as an authenticated, packet-filtering firewall device. The
    Enforcer interacts with the Sygate Security Agent (SAA [the personal
    firewall component]) product and limits access to protected
    networks/hosts to authenticated clients that comply with a predefined

    In practise, the Enforcer does not limit broadcast traffic (both local-
    net and all-nets) from passing through prior to authentication, allowing
    hosts that are protected by the Enforcer to still be attacked.

    -- Recommendations --

    The Enforcer product should be upgraded to a version that is not
    susceptible to this issue.

    If it is not possible to upgrade promptly, then it may be feasible to
    protect hosts that are not local to the Enforcer by reconfiguring router
    devices to not propagate broadcasts.

    -- Background --

    This issue was discovered using a custom protocol analysis tool
    developed by Corsaire's security assessment team. This tool is not
    available publicly, but is an example of the specialist approach used by
    Corsaire's consultants as part of a commercial security assessment. To
    find out more about the cutting edge services provided by Corsaire
    simply visit our web site at http://www.corsaire.com

    -- CVE --

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the name CAN-2004-0593 to this issue. This is a candidate for
    inclusion in the CVE list (http://cve.mitre.org), which standardises
    names for security problems.

    -- References --

    [1] http://www.sygate.com
    [2] http://www.sygate.com/products/universal_enforcement.htm

    -- Revision --

    a. Initial release.

    -- Distribution --

    This security advisory may be freely distributed, provided that it
    remains unaltered and in its original form.

    -- Disclaimer --

    The information contained within this advisory is supplied "as-is" with
    no warranties or guarantees of fitness of use or otherwise. Corsaire
    accepts no responsibility for any damage caused by the use or misuse of
    this information.

    -- About Corsaire --

    Corsaire are a leading information security consultancy, founded in 1997
    in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
    analytical rigour to every job, which means fast and dramatic security
    performance improvements. Our services centre on the delivery of
    information security planning, assessment, implementation, management
    and vulnerability research.

    A free guide to selecting a security assessment supplier is available at

    Copyright 2004 Corsaire Limited. All rights reserved.

  • Next message: Pentest Security Advisories: "[VulnWatch] ptl-2004-03: WIDCOMM Bluetooth Connectivity Software Buffer Overflows"

    Relevant Pages