exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Corsaire Security Advisory 2003-11-20.2

Corsaire Security Advisory 2003-11-20.2
Posted Aug 11, 2004
Authored by Martin O'Neal, Corsaire | Site corsaire.com

Corsaire Security Advisory - Sygate Secure Enterprise versions prior to 3.5MR3 are susceptible to a replay attack that allows for resource exhaustion.

tags | advisory
advisories | CVE-2004-0163
SHA-256 | 9518fde350500d8f1f17561d136500ea61cea2c37c0fb9f6ff05042d4ef28006

Corsaire Security Advisory 2003-11-20.2

Change Mirror Download

-- Corsaire Security Advisory --

Title: Sygate Secure Enterprise replay issue
Date: 20.11.03
Application: Sygate Secure Enterprise prior to 3.5MR3
Environment: Windows NT, 2000, 2003
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c031120-002


-- Scope --

The aim of this document is to clearly define an issue that exists with
the Sygate Secure Enterprise (SSE) product [1] that will allow a remote
attacker to exhaust resources on the server, potentially provoking a DoS
condition.


-- History --

Discovered: 20.11.03 (Martin O'Neal)
Vendor notified: 14.01.04
Document released: 10.8.04


-- Overview --

The Sygate Secure Enterprise (SSE) [2] provides "the necessary features
required to scale policy management across the world's largest
enterprises, driving individual and appropriate policies for up to
hundreds of thousands of users". Part of this functionality is providing
centralised logging functionality to both the Sygate Enforcer and Sygate
Security Agent (SSA) products.

In practise, the SSE uses HTTP to communicate with the SSA clients.
These exchanges do not implement any form of replay protection, so an
attacker can simply send repeated requests until all the resources on
the host are exhausted.


-- Analysis --

The SSE product communicates with valid SSA clients via the HTTP
protocol. These exchanges include a number of fields that are encrypted
using a static key (that is common across all SSA clients). Some of
these fields uniquely identify the SSA client instance, and others
contain the actual data payload, such as log entries for centralised
storage, or authentication sequences.

As the key used to encrypt the data never changes, and the fields
include no replay protection, all an attacker need do is to capture a
valid protocol session, then replay it against the server repeatedly
until the server exhausts all its resources.


-- Recommendations --

The SSE product should be upgraded to a version that is not susceptible
to this issue.


-- Background --

This issue was discovered using a custom protocol analysis tool
developed by Corsaire's security assessment team. This tool is not
available publicly, but is an example of the specialist approach used by
Corsaire's consultants as part of a commercial security assessment. To
find out more about the cutting edge services provided by Corsaire
simply visit our web site at http://www.corsaire.com


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2004-0163 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardises
names for security problems.


-- References --

[1] http://www.sygate.com
[2] http://www.sygate.com/products/enterprise_policy_management.htm


-- Revision --

a. Initial release.
b. Corrected grammatical errors.
c. Minor revisions.


-- Distribution --

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com


Copyright 2004 Corsaire Limited. All rights reserved.



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close