Title: PGPFreeware Malformed IKE Response Packet Buffer Overflow Vulnerability
Severity: HIGH
Description:
The implementation of Internet Key Exchange (IKE) used by the PGPFreeware VPN client is reported to be prone to a buffer overflow when handling malformed IKE response packets. An attacker may exploit this condition to cause process memory to be corrupted with attacker-supplied data on the client system, which may result in execution of arbitrary code. Exploitation may also result in a denial of service.
It is possible to exploit this issue via a malicious server. However, this may also potentially be exploited if the attacker can inject malformed packets into an existing client-server communication.
Other vendor products are reported to be affected by similar issues. Bugtraq ID(s) 5440, 5441, 5443 describe similar issues with regards to the handling of malformed IKE response packets. There are currently not enough details available to determine if PGPFreeware is affected by any of these specific issues.
This issue was reported in PGPFreeware 7.03 running on Windows NT 4.0 SP6. Other versions and platforms may also be affected.
Affected Products:
- Network Associates PGP Freeware 7.0.3
References:
- CERT/CC: Vulnerability Note VU#287771
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
