what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Corsaire Security Advisory 2003-11-20.1

Corsaire Security Advisory 2003-11-20.1
Posted Aug 11, 2004
Authored by Martin O'Neal, Corsaire | Site corsaire.com

Corsaire Security Advisory - Sygate Enforcer 4.0 and prior releases are susceptible to a denial of service attack via malformed discovery packets.

tags | advisory, denial of service
advisories | CVE-2003-0931
SHA-256 | c0ffd3b2d0fc4b2f508557dda3a080b8daea38175bc4d73cf4d1a38f69678dee

Corsaire Security Advisory 2003-11-20.1

Change Mirror Download

-- Corsaire Security Advisory --

Title: Sygate Enforcer discovery packet DoS issue
Date: 20.11.03
Application: Sygate Enforcer 4.0 and prior
Environment: Windows NT, 2000, 2003
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c031120-001


-- Scope --

The aim of this document is to clearly define an issue that exists with
the Sygate Enforcer product [1] that will allow a remote attacker to
provoke a DoS condition.


-- History --

Discovered: 20.11.03 (Martin O'Neal)
Vendor notified: 14.01.04
Document released: 10.8.04


-- Overview --

Sygate Enforcers are described as [2] "network gateway devices that
enforce host integrity at network access points". Architecturally they
function as an authenticated, packet-filtering firewall device. The
Enforcer interacts with the Sygate Security Agent (SAA [the personal
firewall component]) product and limits access to protected
networks/hosts to authenticated clients that comply with a predefined
policy.

In practise, the Enforcer device uses a number of proprietary protocol
exchanges to communicate with other Enforcers and also the SAA product.
By sending a packet containing a malformed payload to the Enforcer, the
host service can be forced to stop responding.


-- Analysis --

The Sygate Enforcer product sends a discovery packet at one-second
intervals on all interfaces that have IP bound to them. The packet is a
UDP datagram, from source port 39999 to destination port 39999, and is
sent to the local subnet broadcast address.

If this packet is malformed and replayed to the Enforcer, it will cause
the Enforcer service to stop unexpectedly, without generating an entry
within the product's audit trail.

It is worth noting that the packet that is replayed does not need to be
sent to the local subnet broadcast address, and can be happily sent to
any valid unicast address associated with the Enforcer. This means that
the attacker does not need to be local to the Enforcer to exploit this
issue.


-- Recommendations --

The Enforcer product should be upgraded to a version that is not
susceptible to this issue.


-- Background --

This issue was discovered using a custom protocol analysis tool
developed by Corsaire's security assessment team. This tool is not
available publicly, but is an example of the specialist approach used by
Corsaire's consultants as part of a commercial security assessment. To
find out more about the cutting edge services provided by Corsaire
simply visit our web site at http://www.corsaire.com


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0931 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardises
names for security problems.


-- References --

[1] http://www.sygate.com
[2] http://www.sygate.com/products/universal_enforcement.htm


-- Revision --

a. Initial release.
b. Minor revisions.


-- Distribution --

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com


Copyright 2004 Corsaire Limited. All rights reserved.



Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close