发布时间 :2004-09-28 00:00:00
修订时间 :2016-10-17 22:38:21

[原文]Sygate Enforcer 4.0 earlier allows remote attackers to cause a denial of service (service hang) by replaying a malformed discovery packet to UDP port 39999.

[CNNVD]Sygate Enforcer Discovery包远程拒绝服务漏洞(CNNVD-200409-087)

        Sygate Enforcers是一款包过滤防火墙设备。
        Sygate Enforcers不正确处理带有畸形负载的通信,远程攻击者可以利用这个漏洞对设备进行拒绝服务攻击。
        Sygate Enforcer产品在所有接口每秒间隔发送一个Discovery(发现)包,此包为UDP数据帧,从源端口39999到目的端口39999,并发送给本地子网广播地址。如果带有畸形负载的包发给Enforcer,会导致服务异常停止。造成拒绝服务攻击。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040810 Corsaire Security Advisory - Sygate Enforcer discovery packet DoS issue
(VENDOR_ADVISORY)  XF  sygate-enforcer-payload-dos(16949)

- 漏洞信息

Sygate Enforcer Discovery包远程拒绝服务漏洞
中危 其他
2004-09-28 00:00:00 2006-08-24 00:00:00
        Sygate Enforcers是一款包过滤防火墙设备。
        Sygate Enforcers不正确处理带有畸形负载的通信,远程攻击者可以利用这个漏洞对设备进行拒绝服务攻击。
        Sygate Enforcer产品在所有接口每秒间隔发送一个Discovery(发现)包,此包为UDP数据帧,从源端口39999到目的端口39999,并发送给本地子网广播地址。如果带有畸形负载的包发给Enforcer,会导致服务异常停止。造成拒绝服务攻击。

- 公告与补丁

        建议用户升级Sygate Enforcer产品:

- 漏洞信息 (F34008)

Corsaire Security Advisory 2003-11-20.1 (PacketStormID:F34008)
2004-08-11 00:00:00
Martin O'Neal,Corsaire
advisory,denial of service

Corsaire Security Advisory - Sygate Enforcer 4.0 and prior releases are susceptible to a denial of service attack via malformed discovery packets.

-- Corsaire Security Advisory --

Title: Sygate Enforcer discovery packet DoS issue
Date: 20.11.03
Application: Sygate Enforcer 4.0 and prior
Environment: Windows NT, 2000, 2003
Author: Martin O'Neal []
Audience: General distribution
Reference: c031120-001

-- Scope --

The aim of this document is to clearly define an issue that exists with 
the Sygate Enforcer product [1] that will allow a remote attacker to 
provoke a DoS condition. 

-- History --

Discovered: 20.11.03 (Martin O'Neal)
Vendor notified: 14.01.04
Document released: 10.8.04

-- Overview --

Sygate Enforcers are described as [2] "network gateway devices that 
enforce host integrity at network access points". Architecturally they 
function as an authenticated, packet-filtering firewall device. The 
Enforcer interacts with the Sygate Security Agent (SAA [the personal 
firewall component]) product and limits access to protected 
networks/hosts to authenticated clients that comply with a predefined 

In practise, the Enforcer device uses a number of proprietary protocol 
exchanges to communicate with other Enforcers and also the SAA product. 
By sending a packet containing a malformed payload to the Enforcer, the 
host service can be forced to stop responding.

-- Analysis --

The Sygate Enforcer product sends a discovery packet at one-second 
intervals on all interfaces that have IP bound to them. The packet is a 
UDP datagram, from source port 39999 to destination port 39999, and is 
sent to the local subnet broadcast address.

If this packet is malformed and replayed to the Enforcer, it will cause 
the Enforcer service to stop unexpectedly, without generating an entry 
within the product's audit trail.

It is worth noting that the packet that is replayed does not need to be 
sent to the local subnet broadcast address, and can be happily sent to 
any valid unicast address associated with the Enforcer. This means that 
the attacker does not need to be local to the Enforcer to exploit this 

-- Recommendations --

The Enforcer product should be upgraded to a version that is not 
susceptible to this issue.

-- Background --

This issue was discovered using a custom protocol analysis tool 
developed by Corsaire's security assessment team. This tool is not 
available publicly, but is an example of the specialist approach used by 
Corsaire's consultants as part of a commercial security assessment. To 
find out more about the cutting edge services provided by Corsaire 
simply visit our web site at

-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0931 to this issue. This is a candidate for
inclusion in the CVE list (, which standardises
names for security problems.

-- References --


-- Revision --

a. Initial release.
b. Minor revisions.

-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.

-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 

Copyright 2004 Corsaire Limited. All rights reserved. 


- 漏洞信息

Sygate Enforcer Discovery Packet DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Sygate Enforcer contains a flaw that may allow a remote denial of service. The issue is triggered when a remote attacker sends a specially crafted UDP packet from source port 39999 to destination source port 39999 on the Enforcer system, and will result in loss of availability for the Enforcer system.

- 时间线

2004-08-10 2003-11-20
2004-08-10 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Sygate Secure Enterprise Enforcer Remote Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 10910
Yes No
2004-08-10 12:00:00 2009-07-12 06:16:00
This vulnerability was discovered and announced by Martin O'Neal of Corsaire Security.

- 受影响的程序版本

Sygate Secure Enterprise 4.0
Sygate Secure Enterprise 3.5 MR3
Sygate Secure Enterprise 3.5 MR1
Sygate Secure Enterprise 3.5
Sygate Secure Enterprise 3.0

- 漏洞讨论

Sygate Enforcer is reported to be susceptible to a remote denial of service vulnerability.

Malformed UDP packets can be broadcast on a local network segment, and reportedly crash all affected applications that receive it. These UDP discovery packets can also be send to unicast addresses, and can therefore be routed to remote networks to crash targeted computers. The origin of these packets could also likely be spoofed, hiding the source of the attack.

Sygate Enforcer versions 4.0 and prior are reported to be affected by this vulnerability.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考