
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                     Entrust LibKmp Library Vulnerabilities
                     [Symantec Security Response SYM04-012]

August 26, 2004 19:00 GMT                                         Number O-206
______________________________________________________________________________
PROBLEM:       Vulnerabilities in the Entrust LibKmp ISAKMP library have been 
               found. This library may be used to facilitiate IKE key exchange 
               for IPSEC-based VPN products and does not properly validate 
               incoming ISAKMP packets. 
PLATFORM:      Symantec Enterprise Firewall 8.0 (Windows and Solaris) 
               Symantec Enterprise Firewall 7.0.x (Windows and Solaris) 
               Symantec VelociRaptor 1.5 
               Symantec Gateway Security 1.0 - 5300 Series 
               Symantec Gateway Security 2.0 - 5400 Series 
               Any VPN or firewall product which implements the Entrust 
                 LibKmp ISAKMP library 
DAMAGE:        ISAKMP is a standard protocol used to negotiate dynamic VPN 
               tunnels. By sending sufficiently malformed ISAKMP packets, an 
               attacker could cause a DoS condition in the affected VPN 
               component. Or, if specifically crafted, the malformed ISAKMP 
               packets could potentially lead to further possible compromise 
               of the VPN server. 
SOLUTION:      Apply the available security updates. 
______________________________________________________________________________
VULNERABILITY  The risk is LOW. Possible denial of service that could lead to 
ASSESSMENT:    a compromise. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-206.shtml 
 ORIGINAL BULLETIN:  Symantec Security Response SYM04-012                                                       
                     http://securityresponse.symantec.com/avcenter/security/Content/2004.08.26.html 
 ADDITIONAL LINKS:   ISS X-Force Advisory
                     http://xforce.iss.net/xforce/alerts/id/181
                     Entrust Advisory
                     https://www.entrust.com/trustedcare/troubleshooting/bulletins.htm
                     (requires account)
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CAN-2004-0369 
______________________________________________________________________________
[***** Start Symantec Security Response SYM04-012 *****]

SYM04-012 
August 26, 2004 

Symantec IPsec/ISAKMP VPN Buffer Overflow 

Revision History   None

Risk Impact        High 

Overview

Symantec resolved a Denial of Service (DoS) and potential compromise vulnerability 
reported by ISS X-Force. The vulnerability was identified in the Entrust module 
responsible for handling ISAKMP negotiations that is used in some Symantec 
gateway products. Under certain conditions, the VPN component terminates abruptly 
impacting the availability of dynamic VPN services. A specifically crafted 
attack could potentially lead to further compromise of the VPN server. 

NOTE: This issue does not affect gateways that only use static VPN tunnels or 
that have no dynamic VPN tunnels defined. 

Affected Components

Symantec Enterprise Firewall 8.0 (Windows and Solaris) Symantec Enterprise 
Firewall 7.0.x (Windows and Solaris) Symantec VelociRaptor 1.5 Symantec Gateway 
Security 1.0 - 5300 Series Symantec Gateway Security 2.0 - 5400 Series 

Details

ISS X-Force notified Symantec of a vulnerability they discovered in the Entrust 
module running on some of Symantec's gateway products. The module, which implements 
the IKE key exchange protocol, was not properly validating incoming 
ISAKMP packets. 

ISAKMP is a standard protocol used to negotiate dynamic VPN tunnels. By sending 
sufficiently malformed ISAKMP packets, an attacker could cause a DoS condition 
in the affected VPN component. Or, if specifically crafted, the malformed ISAKMP 
packets could potentially lead to further possible compromise of the VPN server. 

Symantec Response

Symantec confirmed the vulnerable module and coordinated extensively with Entrust 
to finalize and thoroughly test a fix for the Entrust module impacting 
Symantec's affected products.

Symantec has released a hotfix to address this issue for affected Symantec 
gateway products. Symantec strongly recommends customers apply the appropriate 
hotfix for their affected product models/versions immediately to protect 
against this type of threat. 

Mitigation

This issue does not affect gateways that only use static VPN tunnels or that 
have no dynamic VPN tunnels defined. Even when ISAKMPd is running (always by 
default), if no dynamic VPN tunnels are defined, ISAKMP traffic is filtered 
before it gets to the ISAKMPd module. Therefore any gateway that is not being 
used as a VPN server is not affected by this problem.

Symantec recommends that customers who are NOT currently using their Symantec 
gateway product as a VPN server apply this hotfix during normal maintenance 
cycles in the event they configure their gateway product as a VPN server in 
the future.

Product specific hotfixes are available via the Symantec Enterprise Support 
site http://www.symantec.com/techsupp.

Symantec is not aware of any active attempts against or organizations 
impacted by this issue. 

CVE

The Common Vulnerabilities and Exposures (CVE) initiative has assigned 
Candidate CAN-2004-0369 to the ISS X-Force reported issue. This is a candidate 
for inclusion in the CVE list (http://cve.mitre.org), which standardizes names 
for security problems. 

Credit:

Symantec appreciates the actions of the X-Force research team in identifying 
this issue to Symantec and their cooperation and coordination while Symantec 
worked with Entrust to resolve all issues. 

Symantec Product Security Contact

Symantec takes the security and proper functionality of its products very 
seriously. As founding members in the Organization for Internet Safety, 
Symantec follows the process of responsible disclosure. Symantec also subscribes
to the vulnerability guidelines outlined by the National Infrastructure Advisory 
Council (NIAC). Please contact secure@symantec.com if you feel you have 
discovered a potential or actual security issue with a Symantec product.

Symantec strongly recommends using encrypted email for reporting vulnerability 
information to secure@symantec.com. The Symantec Product Security PGP key 
can be obtained here. 


--------------------------------------------------------------------------------

Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it 
is not edited in any way unless authorized by Symantec Security Response. 
Reprinting the whole or part of this alert in any medium other than electronically 
requires permission from symsecurity@symantec.com.

Disclaimer

The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the information 
constitutes acceptance for use in an AS IS condition. There are no warranties 
with regard to this information. Neither the author nor the publisher accepts 
any liability for any direct, indirect, or consequential loss or damage arising 
from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are 
registered trademarks of Symantec Corp. and/or affiliated companies in the 
United States and other countries. All other registered and unregistered 
trademarks represented in this document are the sole property of their respective 
companies/owners. 

Last modified on: Wednesday, 25-Aug-04 15:27:13

[***** End Symantec Security Response SYM04-012 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Symantec for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-197: Microsoft Exchange Server 5.5 Outlook Web Access Vulnerability
O-198: Rsync Unsanitised Input Processing
CIACTech04-002: Rootkit Backdoor Trigger Detection Strings
O-199: Cisco IOS Malformed OSPF Packet Causes Reload
O-200: Updated PAM Packages
O-201: Qt Package Vulnerabilities
O-202: Buffer Overflow in the CDE Mailer dtmail(1X)
O-203: Cisco Secure Access Control Server Vulnerabilities
O-204: Netscape NSS Library Suite Remote Buffer Overflow
O-205: Adobe Acrobat Reader Uuencoding Buffer Overflow