IRM Security Advisory No. 011

Sygate Security Agent (Sygate Secure Enterprise) Denial of Service

Problem Discovered: January 24th 2005
Vendor contacted: March 8th 2005
Advisory published: April 11th 2005


Abstract
--------
Sygate Secure Enterprise includes a Security Agent (SSA) that runs on a 
client system as one of its components alongside policy management and 
enforcement servers inside a network.

The Sygate Agent incorporates a 'stateful' firewall, where it applies a 
rule-based security policy and controls application usage. The agent 
also has an intrusion prevention engine which can detect port scanning 
and different types of known attacks. Additionally, it can verify the 
security status of a client including the status of executables, 
Anti-Virus, firewall, et al.

During a recent security assessment of a laptop build, IRM identified a 
security issue associated with SSA. A non-privileged user is able to 
export the security policy file and make a simple modification. The file 
can then be imported back, which results in the agent 'failing open' on 
next restart.

Description
-----------
The SSA security policy file is an XML file which could be exported by a 
non-privileged user and then imported back. It is therefore possible to 
change certain settings in the policy file including trusted IP 
addresses, or DNS names for instance. Additionally, it is possible to 
modify the name of the default policy location to a non-existing one. 
When SSA is closed gracefully during system shutdown, the imported 
policy is saved and also copied to the backup, resulting in both 
policies having an inexistent 'DefaultLocation'. When SSA starts up 
again, the policy is loaded and upon switching to the DefaultLocation it 
throws an exception and fails.

Affected Versions
-----------------
SSA running in 'Server Control' or 'Power User' Modes:

     * SSA version 3.5
     * SSA version 4.0
     * SSA version 4.1

Unaffected Versions
-------------------

     * SSA in client mode (any version)
     * Sygate Personal Firewall (Standard and Pro versions)

Vendor & Patch Information
--------------------------
Sygate were contacted and immediately started investigating the issue. 
When the vulnerability was confirmed, a new build was released. Users 
are required to upgrade to the latest builds for each version:

     * SSA3.5 build 2580
     * SSA4.0 build 2715
     * SSA4.1 build 2827

These are available from Sygate's website (http://www.sygate.com).

Workarounds
-----------
Enable password protection for SSA export/import function (this is not 
the default setting for SSA running in 'Server Control' or 'Power User' 
Modes).

Credits
-------
Research & Advisory: Mazin Faour.

Disclaimer
----------
All information in this advisory is provided on an 'as is' basis in the 
hope that it will be useful. Information Risk Management Plc is not 
responsible for any risks or occurrences caused by the application of 
this information.