lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: olaf.hahn at (Olaf Hahn)
Subject: Buffer Overflow in ISAKMP-Process at Checkpoint VPN-1 (the VPN component
 commonly deployed on Checkpoint Firewall-1 installations)


Internet Security Systems Security Advisory
February 4, 2004

Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow

ISS X-Force has discovered a flaw in the ISAKMP processing for both the
Checkpoint VPN-1 server and Checkpoint VPN clients (Securemote/
SecureClient). These products collaborate to provide VPN access to
corporate networks for remote client computers. VPN-1 is the VPN component
commonly deployed on Checkpoint Firewall-1 installations. The IKE
component of these products allows for the unidirectional or bidirectional
authentication of two remote nodes as well as the negotiation of
cryptographic capabilities and keys. A buffer overflow vulnerability
exists when attempting to handle large certificate payloads. 


A remote attacker may exploit this flaw to remotely compromise any VPN-1
server and/or client system running SecureClient/SecureClient. X-Force has
developed functional exploit code for this vulnerability and has
demonstrated successful attacks using real-world scenarios. Successful
compromise of the VPN-1 server can lead directly to complete compromise of
the entire Checkpoint Firewall-1 server.

Remote attackers can leverage this attack to successfully compromise
heavily hardened networks by modifying or tampering with the firewall
rules and configuration. Attackers will be able to run commands under the
security context of the super-user, usually "SYSTEM", or "root". Any
properly configured Firewall-1 among the affected versions with VPN
support is vulnerable to this attack by default.

In addition, affected versions of VPN-1 SecureRemote / SecureClient are
vulnerable to complete remote compromise, expanding exposure to remote
VPN clients.

Affected Versions:

Checkpoint VPN-1 Server 4.1 up to and including SP6 with OpenSSL Hotfix
Checkpoint SecuRemote/SecureClient 4.1 up to and including build 4200


Internet Key Exchange (IKE) is used to negotiate and exchange keys for
encrypted transport or tunneling of network traffic over a Virtual Private
Network (VPN). The network protocol used to facilitate this exchange is
the Internet Security Association and Key Management Protocol (ISAKMP).
The affected versions of Checkpoint?s VPN implementation contain a
critical flaw which may expose protected network segments to remote

A vulnerability exists when handling ISAKMP packets with large
Certificate Request payloads. This can be triggered by a remote
unauthenticated attacker during the initial phases of an IKE negotiation.
It is not necessary to impersonate a known VPN server to exploit client
systems, and VPN servers are equally vulnerable. As this attack does not
require any interaction with the target system, it can be performed via
UDP with a spoofed source address concealing the identity of an attacker.

The vulnerability exists in code intended to process certificate requests
received from a remote host. Adequate bounds-checking is not performed
and a simple stack overflow can be triggered. It is believed to be trivial
to leverage this vulnerability to achieve reliable remote code execution.


For immediate vulnerability remediation, Internet Security Systems
will provide the following protection updates for its Proventia network
protection products. 

Proventia M Series 1.7: ISAKMP_Certificate_Request_Overflow_ -

Proventia G Series 22.9: ISAKMP_Certificate_Request_Overflow_ -

Proventia A Series 22.9: ISAKMP_Certificate_Request_Overflow_ -

RealSecure Network 22.9: ISAKMP_Certificate_Request_Overflow -

All updates listed above will be available from the ISS Download
center shortly:
There is no effective workaround for this vulnerability. Upgrading to the
NG versions of VPN-1 Server and SecureRemote/Client will remove this

Checkpoint no longer supports the versions of VPN-1 and SecureRemote/
SecureClient affected by this vulnerability. Checkpoint recommends that
all affected users upgrade to Firewall-1 NG FP1 or greater.

Vendor Notification Schedule:

Vendor notified ? 2/2/2004
Checkpoint patch developed and made available ? 2/4/2004
ISS X-Force Advisory released ? 2/4/2004

ISS X-Force published this Security Advisory in coordination with the
affected vendor in accordance to our published Vulnerability Disclosure
Guidelines, available at the following address:

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2004-0040 to this issue. This is a candidate for inclusion in the CVE
list (, which standardizes names for security problems.


This vulnerability was discovered and researched by Mark Dowd and Neel
Mehta of the ISS X-Force.


About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2004 Internet Security Systems, Inc. All rights reserved

This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email  <>for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws. 

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and's key
server, as well as at
Please send suggestions, updates, and comments to: X-Force  <>of Internet Security Systems, Inc. 


Mit freundlichen Gr?ssen 

Olaf Hahn 

Mathias-Br?ggen-Str. 55 
50829 K?ln 
Phone: +49 221 6698-443 
Fax: +49 221 6698-409 

Paranoid zu sein heisst nicht, dass 
nicht doch jemand hinter einem steht

Powered by blists - more mailing lists