-- Corsaire Security Advisory --

Title: Sygate Secure Enterprise replay issue
Date: 20.11.03
Application: Sygate Secure Enterprise prior to 3.5MR3
Environment: Windows NT, 2000, 2003
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c031120-002


-- Scope --

The aim of this document is to clearly define an issue that exists with 
the Sygate Secure Enterprise (SSE) product [1] that will allow a remote 
attacker to exhaust resources on the server, potentially provoking a DoS 
condition. 


-- History --

Discovered: 20.11.03 (Martin O'Neal)
Vendor notified: 14.01.04
Document released: 10.8.04


-- Overview --

The Sygate Secure Enterprise (SSE) [2] provides "the necessary features 
required to scale policy management across the world's largest 
enterprises, driving individual and appropriate policies for up to 
hundreds of thousands of users". Part of this functionality is providing 
centralised logging functionality to both the Sygate Enforcer and Sygate 
Security Agent (SSA) products. 

In practise, the SSE uses HTTP to communicate with the SSA clients. 
These exchanges do not implement any form of replay protection, so an 
attacker can simply send repeated requests until all the resources on 
the host are exhausted.


-- Analysis --

The SSE product communicates with valid SSA clients via the HTTP 
protocol. These exchanges include a number of fields that are encrypted 
using a static key (that is common across all SSA clients). Some of 
these fields uniquely identify the SSA client instance, and others 
contain the actual data payload, such as log entries for centralised 
storage, or authentication sequences. 

As the key used to encrypt the data never changes, and the fields 
include no replay protection, all an attacker need do is to capture a 
valid protocol session, then replay it against the server repeatedly 
until the server exhausts all its resources.


-- Recommendations --

The SSE product should be upgraded to a version that is not susceptible 
to this issue.


-- Background --

This issue was discovered using a custom protocol analysis tool 
developed by Corsaire's security assessment team. This tool is not 
available publicly, but is an example of the specialist approach used by 
Corsaire's consultants as part of a commercial security assessment. To 
find out more about the cutting edge services provided by Corsaire 
simply visit our web site at http://www.corsaire.com


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2004-0163 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardises
names for security problems.


-- References --

[1] http://www.sygate.com
[2] http://www.sygate.com/products/enterprise_policy_management.htm


-- Revision --

a. Initial release.
b. Corrected grammatical errors.
c. Minor revisions.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2004 Corsaire Limited. All rights reserved.