SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   Provider-1 Vendors:   Check Point
Check Point Provider-1 IKE ASN.1 Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010799
SecurityTracker URL:  http://securitytracker.com/id/1010799
CVE Reference:   CVE-2004-0699   (Links to External Site)
Updated:  Aug 2 2004
Original Entry Date:  Jul 28 2004
Impact:   Execution of arbitrary code via network, Host/resource access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): R55 Prior to HFA-08, R54 Prior to HFA-412
Description:   A buffer overflow vulnerability was reported in Check Point Provider-1 in the processing of IKE packets with ASN.1 encoded values. A remote user can execute arbitrary code on the target system.

Check Point reported that a remote user can send a malformed IKE packet to trigger a buffer overflow and execute arbitrary code on the gateway. In some situations, the remote user can then further compromise the ostensibly protected network.

Systems that use Remote Access VPNs or gateway-to-gateway VPNs are affected.

If Aggressive Mode IKE is implemented, a single packet can exploit this flaw. The vendor discourages the use of Aggressive Mode IKE because of inherent security limitations.

If IKE is used without Aggressive Mode, a remote user must initiate an IKE negotiation to exploit the flaw. Because the malformed packet will be encrypted as part of the IKE negotiation, the attack cannot be detected using intrusion signatures, the report said.

Impact:   A remote user can execute arbitrary code on the target system. In some situations, the remote user can then further compromise the ostensibly protected network.
Solution:   The following Hotfix Accumulators (HFAs) and ASN.1 Hotfixes are available to correct this flaw:

Provider-1 NG with Application Intelligence R55 HFA-08:

Linux:

http://www.checkpoint.com/techsupport/downloadApp/displayDownloads.jsp?
the_product=Provider-1&version_selected=NG%20with%20Application%20Intelligence&
os_selected=Linux&patchlevel_selected=R55%20-%20Hotfixes

SecurePlatform:

http://www.checkpoint.com/techsupport/downloadApp/displayDownloads.jsp?
the_product=Provider-1&version_selected=NG%20with%20Application%20Intelligence&
os_selected=SecurePlatform&patchlevel_selected=R55%20-%20Hotfixes

Solaris:

http://www.checkpoint.com/techsupport/downloadApp/displayDownloads.jsp?
the_product=Provider-1&version_selected=NG%20with%20Application%20Intelligence&
os_selected=Solaris%202.9&patchlevel_selected=R55%20-%20Hotfixes


Provider-1 NG with Application Intelligence R54 HFA-412:

Solaris:

http://www.checkpoint.com/techsupport/downloadApp/displayDownloads.jsp?
the_product=Provider-1&version_selected=NG%20with%20Application%20Intelligence&
os_selected=Solaris%202.9&patchlevel_selected=R54%20-%20Hotfixes

Vendor URL:  www.checkpoint.com/techsupport/alerts/asn1.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS)

Message History:   None.


 Source Message Contents

Subject:  http://www.checkpoint.com/techsupport/alerts/asn1.html


http://www.checkpoint.com/techsupport/alerts/asn1.html

 > ASN.1 Alert
 >
 > 28 Jul 2004
 >
 > An ASN.1 issue has been discovered affecting Check Point VPN-1 products during
 > negotiations of a VPN tunnel which may cause a buffer overrun, potentially compromising
 > the gateway. In certain circumstances, this compromise could allow further network
 > compromise.

A remote user can send a malformed IKE packet to trigger a buffer overflow and execute 
arbitrary code on the gateway.

The following versions are not affected: VPN-1/FireWall-1 R55 HFA-08, R54 HFA-412, or 
VPN-1 SecuRemote/SecureClient R56 HF1.

If Aggressive Mode IKE is implemented, a single packet can exploit this flaw.  The vendor 
discourages the use of Aggressive Mode IKE because of inherent security limitations.

If IKE is used without Aggressive Mode, a remote user must initiate an IKE negotiation to 
exploit the flaw.  Because the malformed packet will be encrypted as part of the IKE 
negotiation, the attack cannot be detected using intrusion signatures, the report said.

The following Hotfix Accumulators (HFAs) and ASN.1 Hotfixes are available to correct this 
flaw:

VPN-1/FireWall-1 NG with Application Intelligence R55W
ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows

VPN-1/FireWall-1 NG with Application Intelligence R55 ASN.1 HF
IPSO 3.8 | Linux 3.0 (RHEL 3.0)

VPN-1/FireWall-1 NG with Application Intelligence R55 HFA-08
IPSO | Linux | SecurePlatform | Solaris | Windows

VPN-1/FireWall-1 NG with Application Intelligence R54 HFA-412
IPSO | Linux | SecurePlatform | Solaris | Windows

VPN-1/FireWall-1 Next Generation FP3 ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows

VPN-1 SecuRemote/SecureClient NG with Application Intelligence
R56 HF-01 | R55 HFA-03

Provider-1 NG with Application Intelligence R55 HFA-08
Linux | SecurePlatform | Solaris

Provider-1 NG with Application Intelligence R54 HFA-412
Solaris

FireWall-1 GX 2.5 ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows

FireWall-1 GX 2.0 ASN.1 Hotfix
IPSO | Linux | SecurePlatform | Solaris | Windows

SSL Network Extender
Linux | SecurePlatform | Solaris | Windows

VPN-1/FireWall-1 VSX NG with Application Intelligence
Release 2 ASN.1 Hotfix
IPSO

VPN-1/FireWall-1 VSX NG with Application Intelligence ASN.1 Hotfix
SecurePlatform

VPN-1/FireWall-1 VSX 2.0.1 ASN.1 Hotfix
Linux | SecurePlatform

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC