IRM Security Advisory No. 011 Sygate Security Agent (Sygate Secure Enterprise) Denial of Service Problem Discovered: January 24th 2005 Vendor contacted: March 8th 2005 Advisory published: April 11th 2005 Abstract -------- Sygate Secure Enterprise includes a Security Agent (SSA) that runs on a client system as one of its components alongside policy management and enforcement servers inside a network. The Sygate Agent incorporates a 'stateful' firewall, where it applies a rule-based security policy and controls application usage. The agent also has an intrusion prevention engine which can detect port scanning and different types of known attacks. Additionally, it can verify the security status of a client including the status of executables, Anti-Virus, firewall, et al. During a recent security assessment of a laptop build, IRM identified a security issue associated with SSA. A non-privileged user is able to export the security policy file and make a simple modification. The file can then be imported back, which results in the agent 'failing open' on next restart. Description ----------- The SSA security policy file is an XML file which could be exported by a non-privileged user and then imported back. It is therefore possible to change certain settings in the policy file including trusted IP addresses, or DNS names for instance. Additionally, it is possible to modify the name of the default policy location to a non-existing one. When SSA is closed gracefully during system shutdown, the imported policy is saved and also copied to the backup, resulting in both policies having an inexistent 'DefaultLocation'. When SSA starts up again, the policy is loaded and upon switching to the DefaultLocation it throws an exception and fails. Affected Versions ----------------- SSA running in 'Server Control' or 'Power User' Modes: * SSA version 3.5 * SSA version 4.0 * SSA version 4.1 Unaffected Versions ------------------- * SSA in client mode (any version) * Sygate Personal Firewall (Standard and Pro versions) Vendor & Patch Information -------------------------- Sygate were contacted and immediately started investigating the issue. When the vulnerability was confirmed, a new build was released. Users are required to upgrade to the latest builds for each version: * SSA3.5 build 2580 * SSA4.0 build 2715 * SSA4.1 build 2827 These are available from Sygate's website (http://www.sygate.com). Workarounds ----------- Enable password protection for SSA export/import function (this is not the default setting for SSA running in 'Server Control' or 'Power User' Modes). Credits ------- Research & Advisory: Mazin Faour. Disclaimer ---------- All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.