Vulnerability Note VU#873334
Check Point ISAKMP vulnerable to buffer overflow via Certificate Request
A buffer overflow vulnerability exists in the Internet Security Association and Key Management Protocol (ISAKMP) implementation used in Check Point VPN-1, SecuRemote, and SecureClient products. An unauthenticated, remote attacker could execute arbitrary code with the privileges of the ISAKMP process, typically root or SYSTEM.
ISAKMP (RFC 2408) defines a framework for authentication, key management, and the negotiation of Security Associations (SAs). The Internet Key Exchange protocol (IKE, RFC 2049) operates within the framework of ISAKMP and uses parts of Oakley (RFC 2412) and SKEME to negotiate and provide cryptographic key exchange for ISAKMP SAs. ISAKMP/IKE is commonly used by IPSec-based virtual private networks (VPNs).
The ISAKMP implementation used in the Check Point VPN server (VPN-1) and clients (SecuRemote, SecureClient) does not adequately validate Certificate Request payloads. As a result, a specially crafted ISAKMP packet could overflow a static memory buffer, writing arbitrary data on the stack.
An attacker who is able to send a UDP packet to the ISAKMP service (500/udp) could execute arbitrary code with the privileges of the VPN process, typically root or SYSTEM. No authentication is required to exploit this vulnerability.
Check Point workarounds
Customers using affected releases, who have a VPN encryption license should disable the VPN encryption and confirm that there are no Objects with ISAKMP checked.
Customers who are running an earlier version of VPN-1/FireWall-1 4.1 SP5a and prior, and cannot upgrade should contact Check Point Technical Services for assistance.
Block or restrict access to the ISAKMP service (500/udp) from untrusted networks such as the Internet. This will disable IKE and ISAKMP functionality (authentication, key exchange, SA negotiation) which is likely to disable most VPN services. Depending on service requirements, it may be possible to operate VPN connections without IKE/ISAKMP by using static SAs and pre-shared keys. Note also that in most cases it is trivial for an attacker to spoof the source of a UDP packet.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Check Point||Affected||05 Feb 2004||09 Feb 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by Internet Security Systems (ISS).
This document was written by Art Manion.
- CVE IDs: CAN-2004-0040
- Date Public: 04 Feb 2004
- Date First Published: 05 Feb 2004
- Date Last Updated: 12 Feb 2004
- Severity Metric: 5.20
- Document Revision: 35
If you have feedback, comments, or additional information about this vulnerability, please send us email.