J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1537
    posted: 11/06/09
  • NSM Daily Update #1537
    posted: 11/06/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1537
    posted: 11/06/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/06/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/05/09

Title: Entrust LibKMP ISAKMP Library Remote IPsec/ISAKMP Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

The Entrust LibKMP ISAKMP library is responsible for handling ISAKMP negotiations for many products, for example IKE key exchange protocol. The module is employed in some Symantec gateway products. Other vendors may also use the library in their products.

The Entrust LibKMP ISAKMP library is reported to be affected by a remote buffer overflow vulnerability. The vulnerability exists due to lack of validation and sanity checking performed on ISAKMP proposal payloads that are embedded within SA payloads.

Because the Entrust LibKMP ISAKMP library does not properly validate incoming ISAKMP proposal payloads, malicious ISAKMP packets may trigger a heap-based buffer overrun resulting in the corruption of heap based memory management chunks in the Entrust library process.

It is reported that a remote attacker may exploit this condition to deny service to the Entrust LibKMP ISAKMP library and to any services that depend on said module (VPN). It is also reported that it may be possible to execute arbitrary code in the context of an implementation that uses the library.

Symantec advises customers that this vulnerability does not affect Symantec gateways that only use static VPN tunnels or that have no dynamic VPN tunnels defined. Therefore, any gateway that is not being used as a VPN server is not affected by this problem.

Although unconfirmed, it is conjectured that this vulnerability may be related to the vulnerability described in BID 10273 "Check Point VPN-1 ISAKMP Remote Buffer Overflow Vulnerability", as Checkpoint VPN-1 may use the affected library. This BID will be updated if other vendors release details about affected products that use the vulnerable library.

Affected Products:

  • Entrust LibKMP ISAKMP Library
  • Symantec Enterprise Firewall 7.0.0 NT/2000
  • Symantec Enterprise Firewall 7.0.0 Solaris
  • Symantec Enterprise Firewall 7.0.4 NT/2000
  • Symantec Enterprise Firewall 7.0.4 Solaris
  • Symantec Enterprise Firewall 8.0.0 NT/2000
  • Symantec Enterprise Firewall 8.0.0 Solaris
  • Symantec Gateway Security 360R
  • Symantec Gateway Security 5110 1.0.0
  • Symantec Gateway Security 5200 1.0.0
  • Symantec Gateway Security 5300
  • Symantec Gateway Security 5300 1.0.0
  • Symantec Gateway Security 5400 2.0.0
  • Symantec Gateway Security 5440
  • Symantec VelociRaptor 1.5.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.