-- Corsaire Security Advisory -- Title: Sygate Enforcer discovery packet DoS issue Date: 20.11.03 Application: Sygate Enforcer 4.0 and prior Environment: Windows NT, 2000, 2003 Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution Reference: c031120-001 -- Scope -- The aim of this document is to clearly define an issue that exists with the Sygate Enforcer product [1] that will allow a remote attacker to provoke a DoS condition. -- History -- Discovered: 20.11.03 (Martin O'Neal) Vendor notified: 14.01.04 Document released: 10.8.04 -- Overview -- Sygate Enforcers are described as [2] "network gateway devices that enforce host integrity at network access points". Architecturally they function as an authenticated, packet-filtering firewall device. The Enforcer interacts with the Sygate Security Agent (SAA [the personal firewall component]) product and limits access to protected networks/hosts to authenticated clients that comply with a predefined policy. In practise, the Enforcer device uses a number of proprietary protocol exchanges to communicate with other Enforcers and also the SAA product. By sending a packet containing a malformed payload to the Enforcer, the host service can be forced to stop responding. -- Analysis -- The Sygate Enforcer product sends a discovery packet at one-second intervals on all interfaces that have IP bound to them. The packet is a UDP datagram, from source port 39999 to destination port 39999, and is sent to the local subnet broadcast address. If this packet is malformed and replayed to the Enforcer, it will cause the Enforcer service to stop unexpectedly, without generating an entry within the product's audit trail. It is worth noting that the packet that is replayed does not need to be sent to the local subnet broadcast address, and can be happily sent to any valid unicast address associated with the Enforcer. This means that the attacker does not need to be local to the Enforcer to exploit this issue. -- Recommendations -- The Enforcer product should be upgraded to a version that is not susceptible to this issue. -- Background -- This issue was discovered using a custom protocol analysis tool developed by Corsaire's security assessment team. This tool is not available publicly, but is an example of the specialist approach used by Corsaire's consultants as part of a commercial security assessment. To find out more about the cutting edge services provided by Corsaire simply visit our web site at http://www.corsaire.com -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0931 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardises names for security problems. -- References -- [1] http://www.sygate.com [2] http://www.sygate.com/products/universal_enforcement.htm -- Revision -- a. Initial release. b. Minor revisions. -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- About Corsaire -- Corsaire are a leading information security consultancy, founded in 1997 in Guildford, Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research. A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com Copyright 2004 Corsaire Limited. All rights reserved.