CERTVU:873334Check Point ISAKMP vulnerable to buffer overflow via Certificate Request
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
93.5%
Overview
A buffer overflow vulnerability exists in the Internet Security Association and Key Management Protocol (ISAKMP) implementation used in Check Point VPN-1, SecuRemote, and SecureClient products. An unauthenticated, remote attacker could execute arbitrary code with the privileges of the ISAKMP process, typically root or SYSTEM.
Description
ISAKMP (RFC 2408) defines a framework for authentication, key management, and the negotiation of Security Associations (SAs). The Internet Key Exchange protocol (IKE, RFC 2049) operates within the framework of ISAKMP and uses parts of Oakley (RFC 2412) and SKEME to negotiate and provide cryptographic key exchange for ISAKMP SAs. ISAKMP/IKE is commonly used by IPSec-based virtual private networks (VPNs).
The ISAKMP implementation used in the Check Point VPN server (VPN-1) and clients (SecuRemote, SecureClient) does not adequately validate Certificate Request payloads. As a result, a specially crafted ISAKMP packet could overflow a static memory buffer, writing arbitrary data on the stack.
Impact
An attacker who is able to send a UDP packet to the ISAKMP service (500/udp) could execute arbitrary code with the privileges of the VPN process, typically root or SYSTEM. No authentication is required to exploit this vulnerability.
Solution
Upgrade
This issue is resolved in Firewall-1/VPN-1 versions NG FP2 (released in April 2002) and 4.1 SP6 (June 2002). For further information, please see the Check Point ISAKMP Alert.
Check Point workarounds
The Check Point ISAKMP Alert provides the following advice for customers who are unable to upgrade:
Customers using affected releases, who are not able to upgrade at this time, can confirm that they are not affected by running “fw checklic encryption” for a false return.
Customers using affected releases, who have a VPN encryption license should disable the VPN encryption and confirm that there are no Objects with ISAKMP checked.
Customers who are running an earlier version of VPN-1/FireWall-1 4.1 SP5a and prior, and cannot upgrade should contact Check Point Technical Services for assistance.
Block or Restrict Access
Block or restrict access to the ISAKMP service (500/udp) from untrusted networks such as the Internet. This will disable IKE and ISAKMP functionality (authentication, key exchange, SA negotiation) which is likely to disable most VPN services. Depending on service requirements, it may be possible to operate VPN connections without IKE/ISAKMP by using static SAs and pre-shared keys. Note also that in most cases it is trivial for an attacker to spoof the source of a UDP packet.
Vendor Information
873334
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Check Point __ Affected
Notified: February 05, 2004 Updated: February 09, 2004
Status
Affected
Vendor Statement
The reported issue does not exist in recent versions of VPN-1/FireWall-1 Next Generation (NG) FP2 and later, including all versions of Next Generation Application Intelligence (NG AI). Nor does this issue exist in VPN-1/FireWall-1 4.1 SP6. The issue was also fixed in the same versions of our VPN client products, SecureClient and SecuRemote.
This issue was fixed during 2002 for all our product lines. There is a very small number of customers that are still using versions prior to 4.1 SP6 and NG prior to FP2; The number of them that use VPN is significantly smaller, hence the vulnerability applies to a very small number of existing deployments.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23873334 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://xforce.iss.net/xforce/alerts/id/163>
- <http://www.checkpoint.com/techsupport/alerts/41_isakmp.html>
- <http://www.checkpoint.com/corporate/iss.html>
- <http://www.ietf.org/html.charters/ipsec-charter.html>
- <http://www.ietf.org/rfc/rfc2408.txt>
- <http://www.ietf.org/rfc/rfc2409.txt>
- <http://www.ietf.org/rfc/rfc2412.txt>
- <http://www.research.ibm.com/security/skeme.ps>
- <http://www.secunia.com/advisories/10795/>
Acknowledgements
This vulnerability was reported by Internet Security Systems (ISS).
This document was written by Art Manion.
Other Information
| CVE IDs: | CVE-2004-0040 |
|---|---|
| Severity Metric: | 5.20 Date Public: |
References
www.checkpoint.com/corporate/iss.html
www.checkpoint.com/techsupport/alerts/41_isakmp.html
www.ietf.org/html.charters/ipsec-charter.html
www.ietf.org/rfc/rfc2408.txt
www.ietf.org/rfc/rfc2409.txt
www.ietf.org/rfc/rfc2412.txt
www.research.ibm.com/security/skeme.ps
www.secunia.com/advisories/10795/
xforce.iss.net/xforce/alerts/id/163
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
93.5%