Check Point Provider-1 IKE ASN.1 Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1010799
|
|
SecurityTracker URL: http://securitytracker.com/id?1010799
|
|
CVE Reference: CAN-2004-0699
(Links to External Site)
|
Updated: Aug 2 2004
|
Original Entry Date: Jul 28 2004
|
Impact: Execution of arbitrary code via network, Host/resource access via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): R55 Prior to HFA-08, R54 Prior to HFA-412
|
Description: A buffer overflow vulnerability was reported in Check Point Provider-1 in the processing of IKE packets with ASN.1 encoded values. A remote user can execute arbitrary code on the target system.
Check Point reported that a remote user can send a malformed IKE packet to trigger a buffer overflow and execute arbitrary code on
the gateway. In some situations, the remote user can then further compromise the ostensibly protected network.
Systems that
use Remote Access VPNs or gateway-to-gateway VPNs are affected.
If Aggressive Mode IKE is implemented, a single packet can exploit
this flaw. The vendor discourages the use of Aggressive Mode IKE because of inherent security limitations.
If IKE is used without
Aggressive Mode, a remote user must initiate an IKE negotiation to exploit the flaw. Because the malformed packet will be encrypted
as part of the IKE negotiation, the attack cannot be detected using intrusion signatures, the report said.
|
Impact: A remote user can execute arbitrary code on the target system. In some situations, the remote user can then further compromise the ostensibly protected network.
|
Solution: The following Hotfix Accumulators (HFAs) and ASN.1 Hotfixes are available to correct this flaw:
Provider-1 NG with Application
Intelligence R55 HFA-08:
Linux:
http://www.checkpoint.com/techsupport/downloadApp/displayDownloads.jsp?
the_product=Provider-1&version_selected=NG%20with%20Applica
tion%20Intelligence&
os_selected=Linux&patchlevel_selected=R55%20-%20Hotfixes
SecurePlatform:
http://www.checkpoint.com/techsupport/downloadApp/displayDownloads.js
p?
the_product=Provider-1&version_selected=NG%20with%20Application%20Intelligence&
os_selected=SecurePlatform&patchlevel_selected=R55%20-%20Hotfixes
Solaris:
http
://www.checkpoint.com/techsupport/downloadApp/displayDownloads.jsp?
the_product=Provider-1&version_selected=NG%20with%20Application%20Intelligence&
os_selected=Solaris%
202.9&patchlevel_selected=R55%20-%20Hotfixes
Provider-1 NG with Application Intelligence R54 HFA-412:
Solaris:
http://www.checkpoint.com/techsupport/downloadAp
p/displayDownloads.jsp?
the_product=Provider-1&version_selected=NG%20with%20Application%20Intelligence&
os_selected=Solaris%202.9&patchlevel_selected=R54%20-%20Hotfixes
|
Vendor URL: www.checkpoint.com/techsupport/alerts/asn1.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Solaris - SunOS)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 28 Jul 2004 15:58:59 -0400
Subject: http://www.checkpoint.com/techsupport/alerts/asn1.html
|
http://www.checkpoint.com/techsupport/alerts/asn1.html
> ASN.1 Alert
>
> 28 Jul 2004
>
> An ASN.1 issue has been discovered affecting Check Point VPN-1 products during
> negotiations of a VPN tunnel which may cause a buffer overrun, potentially compromising
> the gateway. In certain circumstances, this compromise could allow further network
> compromise.
A remote user can send a malformed IKE packet to trigger a buffer overflow and execute
arbitrary code on the gateway.
The following versions are not affected: VPN-1/FireWall-1 R55 HFA-08, R54 HFA-412, or
VPN-1 SecuRemote/SecureClient R56 HF1.
If Aggressive Mode IKE is implemented, a single packet can exploit this flaw. The vendor
discourages the use of Aggressive Mode IKE because of inherent security limitations.
If IKE is used without Aggressive Mode, a remote user must initiate an IKE negotiation to
exploit the flaw. Because the malformed packet will be encrypted as part of the IKE
negotiation, the attack cannot be detected using intrusion signatures, the report said.
The following Hotfix Accumulators (HFAs) and ASN.1 Hotfixes are available to correct this
flaw:
VPN-1/FireWall-1 NG with Application Intelligence R55W
ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows
VPN-1/FireWall-1 NG with Application Intelligence R55 ASN.1 HF
IPSO 3.8 | Linux 3.0 (RHEL 3.0)
VPN-1/FireWall-1 NG with Application Intelligence R55 HFA-08
IPSO | Linux | SecurePlatform | Solaris | Windows
VPN-1/FireWall-1 NG with Application Intelligence R54 HFA-412
IPSO | Linux | SecurePlatform | Solaris | Windows
VPN-1/FireWall-1 Next Generation FP3 ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows
VPN-1 SecuRemote/SecureClient NG with Application Intelligence
R56 HF-01 | R55 HFA-03
Provider-1 NG with Application Intelligence R55 HFA-08
Linux | SecurePlatform | Solaris
Provider-1 NG with Application Intelligence R54 HFA-412
Solaris
FireWall-1 GX 2.5 ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows
FireWall-1 GX 2.0 ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows
SSL Network Extender
Linux | SecurePlatform | Solaris | Windows
VPN-1/FireWall-1 VSX NG with Application Intelligence
Release 2 ASN.1 Hotfix
IPSO
VPN-1/FireWall-1 VSX NG with Application Intelligence ASN.1 Hotfix
SecurePlatform
VPN-1/FireWall-1 VSX 2.0.1 ASN.1 Hotfix
Linux | SecurePlatform
|
|
