-- Corsaire Security Advisory --

Title: Sygate Enforcer unauthenticated broadcast issue
Date: 20.11.03
Application: Sygate Enforcer prior to 3.5MR1
Environment: Windows NT, 2000, 2003
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c031120-003


-- Scope --

The aim of this document is to clearly define an issue that exists with 
the Sygate Enforcer product [1] that will allow a remote attacker to 
pass broadcast traffic through the Enforcer prior to authentication. 


-- History --

Discovered: 20.11.03 (Martin O'Neal)
Vendor notified: 14.01.04
Document released: 10.8.04


-- Overview --

Sygate Enforcers are described as [2] "network gateway devices that 
enforce host integrity at network access points". Architecturally they 
function as an authenticated, packet-filtering firewall device. The 
Enforcer interacts with the Sygate Security Agent (SAA [the personal 
firewall component]) product and limits access to protected 
networks/hosts to authenticated clients that comply with a predefined 
policy. 

In practise, the Enforcer does not limit broadcast traffic (both local-
net and all-nets) from passing through prior to authentication, allowing 
hosts that are protected by the Enforcer to still be attacked.


-- Recommendations --

The Enforcer product should be upgraded to a version that is not 
susceptible to this issue.

If it is not possible to upgrade promptly, then it may be feasible to 
protect hosts that are not local to the Enforcer by reconfiguring router 
devices to not propagate broadcasts.


-- Background --

This issue was discovered using a custom protocol analysis tool 
developed by Corsaire's security assessment team. This tool is not 
available publicly, but is an example of the specialist approach used by 
Corsaire's consultants as part of a commercial security assessment. To 
find out more about the cutting edge services provided by Corsaire 
simply visit our web site at http://www.corsaire.com


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2004-0593 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardises
names for security problems.


-- References --

[1] http://www.sygate.com
[2] http://www.sygate.com/products/universal_enforcement.htm


-- Revision --

a. Initial release.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2004 Corsaire Limited. All rights reserved.