Advisories
Internet Security Systems Security Advisory February 4, 2004
Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow
Synopsis:
ISS X-Force has discovered a flaw in the ISAKMP processing for both the
Checkpoint VPN-1 server and Checkpoint VPN clients (Securemote/
SecureClient). These products collaborate to provide VPN access to
corporate networks for remote client computers. VPN-1 is the VPN component
commonly deployed on Checkpoint Firewall-1 installations. The IKE
component of these products allows for the unidirectional or bidirectional
authentication of two remote nodes as well as the negotiation of
cryptographic capabilities and keys. A buffer overflow vulnerability
exists when attempting to handle large certificate payloads.
Impact:
A remote attacker may exploit this flaw to remotely compromise any VPN-1 server and/or client system running SecureClient/SecureClient. X-Force has developed functional exploit code for this vulnerability and has demonstrated successful attacks using real-world scenarios. Successful compromise of the VPN-1 server can lead directly to complete compromise of the entire Checkpoint Firewall-1 server.
Remote attackers can leverage this attack to successfully compromise heavily hardened networks by modifying or tampering with the firewall rules and configuration. Attackers will be able to run commands under the security context of the super-user, usually "SYSTEM", or "root". Any properly configured Firewall-1 among the affected versions with VPN support is vulnerable to this attack by default.
In addition, affected versions of VPN-1 SecureRemote / SecureClient are vulnerable to complete remote compromise, expanding exposure to remote VPN clients.
Affected Versions:
Checkpoint VPN-1 Server 4.1 up to and including SP6 with OpenSSL Hotfix Checkpoint SecuRemote/SecureClient 4.1 up to and including build 4200
Description:
Internet Key Exchange (IKE) is used to negotiate and exchange keys for encrypted transport or tunneling of network traffic over a Virtual Private Network (VPN). The network protocol used to facilitate this exchange is the Internet Security Association and Key Management Protocol (ISAKMP). The affected versions of Checkpoint’s VPN implementation contain a critical flaw which may expose protected network segments to remote attack.
A vulnerability exists when handling ISAKMP packets with large Certificate Request payloads. This can be triggered by a remote unauthenticated attacker during the initial phases of an IKE negotiation. It is not necessary to impersonate a known VPN server to exploit client systems, and VPN servers are equally vulnerable. As this attack does not require any interaction with the target system, it can be performed via UDP with a spoofed source address concealing the identity of an attacker.
The vulnerability exists in code intended to process certificate requests received from a remote host. Adequate bounds-checking is not performed and a simple stack overflow can be triggered. It is believed to be trivial to leverage this vulnerability to achieve reliable remote code execution.
Recommendations:
For immediate vulnerability remediation, Internet Security Systems
will provide the following protection updates for its Proventia network
protection products.
Proventia M Series 1.7: ISAKMP_Certificate_Request_Overflow_ -
(http://xforce.iss.net/xforce/xfdb/14150)
Proventia G Series 22.9: ISAKMP_Certificate_Request_Overflow_ -
(http://xforce.iss.net/xforce/xfdb/14150)
Proventia A Series 22.9: ISAKMP_Certificate_Request_Overflow_ -
(http://xforce.iss.net/xforce/xfdb/14150)
RealSecure Network 22.9: ISAKMP_Certificate_Request_Overflow -
(http://xforce.iss.net/xforce/xfdb/14150)
All updates listed above will be available from the ISS Download center shortly: http://www.iss.net/download
There is no effective workaround for this vulnerability. Upgrading to the
NG versions of VPN-1 Server and SecureRemote/Client will remove this
vulnerability.
Checkpoint no longer supports the versions of VPN-1 and SecureRemote/ SecureClient affected by this vulnerability. Checkpoint recommends that all affected users upgrade to Firewall-1 NG FP1 or greater.
Vendor Notification Schedule:
Vendor notified – 2/2/2004 Checkpoint patch developed and made available – 2/4/2004 ISS X-Force Advisory released – 2/4/2004
ISS X-Force published this Security Advisory in coordination with the affected vendor in accordance to our published Vulnerability Disclosure Guidelines, available at the following address:
http://documents.iss.net/literature/vulnerability_guidelines.pdf
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0040 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Credit:
This vulnerability was discovered and researched by Mark Dowd and Neel Mehta of the ISS X-Force.
______
About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.
Copyright (c) 2004 Internet Security Systems, Inc. All rights reserved worldwide.
This document is not to be edited or altered in any way without the express written consent of Internet Security Systems, Inc. If you wish to reprint the whole or any part of this document, please email
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws.
Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>of Internet Security Systems, Inc.
--
Mit freundlichen Grüssen
Olaf Hahn Datennetzdienste/Security QSC AG
Mathias-Brüggen-Str. 55 50829 Köln Phone: +49 221 6698-443 Fax: +49 221 6698-409 E-Mail: [EMAIL PROTECTED]
Internet: http://www.qsc.de
************************************
Paranoid zu sein heisst nicht, dass nicht doch jemand hinter einem steht
************************************
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html