[OT] Check Point VPN-1 ISAKMP Buffer Overflow Vulnerability

05/02/2004 - 11:47 por Javier Inglés [MS MVP] | Informe spam
TITLE:
Check Point VPN-1 ISAKMP Buffer Overflow Vulnerability

SECUNIA ADVISORY ID:
SA10795

VERIFY ADVISORY:
http://www.secunia.com/advisories/10795/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Check Point VPN-1 SecureClient
Check Point VPN-1 SecuRemote
Check Point VPN-1 Server 4.x

DESCRIPTION:
Mark Dowd and Neel Mehta of ISS X-Force has discovered a
vulnerability in Check Point VPN-1 Server and VPN clients,
which can be exploited by malicious people to compromise a
vulnerable system.

The vulnerability is caused due to a boundary error in the
ISAKMP processing during authentication. This can be
exploited to cause a buffer overflow by sending packets
with an extremely large "Certificate Request" payload,
which may allow execution of arbitrary code with SYSTEM or
root privileges.

The following products are reportedly affected:
* Check Point VPN-1 Server 4.1 up to and including SP6
with OpenSSL Hotfix
* Check Point SecuRemote/SecureClient 4.1 up to and
including build 4200

SOLUTION:
Check Point no longer supports the affected versions and
therefore advises customers to upgrade to the NG versions
of the products.

PROVIDED AND/OR DISCOVERED BY:
Mark Dowd and Neel Mehta, ISS X-Force.

ORIGINAL ADVISORY:
ISS X-Force:
http://xforce.iss.net/xforce/alerts/id/163


About:
This Advisory was delivered by Secunia as a free service
to help everybody keeping their systems up to date against
the latest vulnerabilities.

Subscribe:
http://www.secunia.com/secunia_secu...dvisories/

Definitions: (Criticality, Where etc.)
http://www.secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you
receive by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party
patches, only use those supplied by the vendor.


Salu2!!
Javier Inglés
MS MVP
 

Leer las respuestas

#1 Ivan [MS MVP]
05/02/2004 - 12:00 | Informe spam
En todos los sitios cuecen habas. ;-)

Un saludo.
Ivan
MS MVP ISA Server


"Javier Inglés [MS MVP]" escribió en
el mensaje news:9f7c01c3ebd5$7c623c40$

TITLE:
Check Point VPN-1 ISAKMP Buffer Overflow Vulnerability

SECUNIA ADVISORY ID:
SA10795

VERIFY ADVISORY:
http://www.secunia.com/advisories/10795/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Check Point VPN-1 SecureClient
Check Point VPN-1 SecuRemote
Check Point VPN-1 Server 4.x

DESCRIPTION:
Mark Dowd and Neel Mehta of ISS X-Force has discovered a
vulnerability in Check Point VPN-1 Server and VPN clients,
which can be exploited by malicious people to compromise a
vulnerable system.

The vulnerability is caused due to a boundary error in the
ISAKMP processing during authentication. This can be
exploited to cause a buffer overflow by sending packets
with an extremely large "Certificate Request" payload,
which may allow execution of arbitrary code with SYSTEM or
root privileges.

The following products are reportedly affected:
* Check Point VPN-1 Server 4.1 up to and including SP6
with OpenSSL Hotfix
* Check Point SecuRemote/SecureClient 4.1 up to and
including build 4200

SOLUTION:
Check Point no longer supports the affected versions and
therefore advises customers to upgrade to the NG versions
of the products.

PROVIDED AND/OR DISCOVERED BY:
Mark Dowd and Neel Mehta, ISS X-Force.

ORIGINAL ADVISORY:
ISS X-Force:
http://xforce.iss.net/xforce/alerts/id/163


About:
This Advisory was delivered by Secunia as a free service
to help everybody keeping their systems up to date against
the latest vulnerabilities.

Subscribe:
http://www.secunia.com/secunia_secu...dvisories/

Definitions: (Criticality, Where etc.)
http://www.secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you
receive by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party
patches, only use those supplied by the vendor.


Salu2!!
Javier Inglés
MS MVP

Preguntas similares