CVE-2004-0040
CVSS10.0
发布时间 :2004-03-03 00:00:00
修订时间 :2016-10-17 22:40:07
NMCOS    

[原文]Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet.


[CNNVD]Check Point VPN-1/SecuRemote ISAKMP超大证书请求负载缓冲区溢出漏洞(CNNVD-200403-005)

        
        Check Point Firewall-1是一款高性能防火墙,Checkpoint VPN-1服务端和Checkpoint VPN客户端为远程客户计算机提供VPN访问的产品。这些产品的IKE组件允许不定向或双向的两个远程接点的验证。
        Checkpoint VPN-1服务端和Checkpoint VPN客户端在处理超大证书负载时缺少充分检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以系统权限控制防火墙服务器。
        Internet Key Exchange (IKE)用于加密传输或通过VPN通信时进行密钥协商和交换。其中ISAKMP协议用于这个交换。当多种产品如VPN实现在处理包含超大证书请求负载的ISAKMP包时缺少充分边界检查,远程未验证用户在IKE协商初始阶段触发此漏洞。攻击者要利用此漏洞不需要对目标系统进行交互,只要通过发送伪造源地址的UDP包来进行攻击。成功利用此漏洞可以直接控制整个防火墙系统。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:checkpoint:firewall-1:4.1:sp5Checkpoint Firewall-1 1 4.1 SP5
cpe:/a:checkpoint:vpn-1:next_generation_fp1
cpe:/a:checkpoint:firewall-1:4.1:sp2Checkpoint Firewall-1 1 4.1 SP2
cpe:/a:checkpoint:firewall-1:4.1:sp5aCheckpoint Firewall-1 4.1 SP5a
cpe:/a:checkpoint:firewall-1:4.1:sp1Checkpoint Firewall-1 1 4.1 SP1
cpe:/a:checkpoint:firewall-1:4.1:sp4Checkpoint Firewall-1 1 4.1 SP4
cpe:/a:checkpoint:firewall-1:4.1:sp3Checkpoint Firewall-1 1 4.1 SP3
cpe:/a:checkpoint:vpn-1:4.1:sp5aCheckpoint VPN-1 4.1 SP5a
cpe:/a:checkpoint:firewall-1:next_generation_fp1
cpe:/a:checkpoint:vpn-1:next_generation_fp0
cpe:/a:checkpoint:firewall-1:next_generation_fp0
cpe:/a:checkpoint:firewall-1:4.1Checkpoint Firewall-1 4.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0040
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0040
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-005
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107604682227031&w=2
(UNKNOWN)  BUGTRAQ  20040205 Two checkpoint fw-1/vpn-1 vulns
http://www.ciac.org/ciac/bulletins/o-073.shtml
(UNKNOWN)  CIAC  O-073
http://www.kb.cert.org/vuls/id/873334
(VENDOR_ADVISORY)  CERT-VN  VU#873334
http://www.securityfocus.com/bid/9582
(VENDOR_ADVISORY)  BID  9582
http://xforce.iss.net/xforce/alerts/id/163
(UNKNOWN)  ISS  20040204 Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow
http://xforce.iss.net/xforce/xfdb/14150
(VENDOR_ADVISORY)  XF  vpn1-ike-bo(14150)

- 漏洞信息

Check Point VPN-1/SecuRemote ISAKMP超大证书请求负载缓冲区溢出漏洞
危急 边界条件错误
2004-03-03 00:00:00 2006-01-03 00:00:00
远程  
        
        Check Point Firewall-1是一款高性能防火墙,Checkpoint VPN-1服务端和Checkpoint VPN客户端为远程客户计算机提供VPN访问的产品。这些产品的IKE组件允许不定向或双向的两个远程接点的验证。
        Checkpoint VPN-1服务端和Checkpoint VPN客户端在处理超大证书负载时缺少充分检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以系统权限控制防火墙服务器。
        Internet Key Exchange (IKE)用于加密传输或通过VPN通信时进行密钥协商和交换。其中ISAKMP协议用于这个交换。当多种产品如VPN实现在处理包含超大证书请求负载的ISAKMP包时缺少充分边界检查,远程未验证用户在IKE协商初始阶段触发此漏洞。攻击者要利用此漏洞不需要对目标系统进行交互,只要通过发送伪造源地址的UDP包来进行攻击。成功利用此漏洞可以直接控制整个防火墙系统。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果用户没有使用VPN,可以通过通过不选Policy->Properties菜单下的"Accept VPN-1 & Firewall-1 Control Connections"复选框关闭,不过必须记得在使用如FW1_mgmt,Radius, Tacacs, Ldap等协议后会重新起用VPN。
        * 如果使用FWZ VPN,可根据上面的方法关闭,但必须记得允许连接FW1_topo和FW1_key及RDP协议。
        * 如果使用了IKE VPN,你必须过滤IKE端口,只允许部分受信地址连接。不过用户必须记得ISAKMP使用UDP进行传输,伪造UDP是非常容易的。
        厂商补丁:
        Check Point Software
        --------------------
        Check Point建议用户升级产品:
        Check Point NG with Application Intelligence R55:
        
        http://www.checkpoint.com/techsupport/ng_application_intelligence/r55_updates.html

- 漏洞信息

4432
Check Point VPN-1/SecuRemote ISAKMP Overflow
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Check Point VPN-1/SecuRemote contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to improper handling of ISAKMP packets with large Certificate Request payloads from remote hosts. If an attacker sends a specially crafted request they may be able to overflow a buffer and execute arbitrary commands with SYSTEM privilegs.

- 时间线

2004-02-04 2004-02-02
Unknow Unknow

- 解决方案

Upgrade to version 4.1 SP6, NG FP2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Check Point VPN-1/SecuRemote ISAKMP Large Certificate Request Payload Buffer Overflow Vulnerability
Boundary Condition Error 9582
Yes No
2004-02-05 12:00:00 2009-07-12 02:06:00
Discovery credited to Mark Dowd and Neel Mehta.

- 受影响的程序版本

Check Point Software VPN-1 Next Generation FP1
Check Point Software VPN-1 Next Generation FP0
Check Point Software VPN-1 4.1 SP6
Check Point Software VPN-1 4.1 SP5a
Check Point Software VPN-1 4.1 SP5
Check Point Software VPN-1 4.1 SP4
Check Point Software VPN-1 4.1 SP3
Check Point Software VPN-1 4.1 SP2
Check Point Software VPN-1 4.1 SP1
Check Point Software VPN-1 4.1
Check Point Software SecuRemote 4.1
Check Point Software SecuRemote 4.0
Check Point Software SecureClient 4.1
Check Point Software SecureClient 4.0
Check Point Software FireWall-1 Next Generation FP1
Check Point Software FireWall-1 Next Generation FP0
Check Point Software Firewall-1 4.1 SP6
Check Point Software Firewall-1 4.1 SP5a
Check Point Software Firewall-1 4.1 SP5
Check Point Software Firewall-1 4.1 SP4
Check Point Software Firewall-1 4.1 SP3
Check Point Software Firewall-1 4.1 SP2
Check Point Software Firewall-1 4.1 SP1
Check Point Software Firewall-1 4.1
Check Point Software VPN-1 Next Generation FP2
Check Point Software VPN-1 4.1 SP6
Check Point Software FireWall-1 Next Generation FP2
Check Point Software Firewall-1 4.1 SP6

- 不受影响的程序版本

Check Point Software VPN-1 Next Generation FP2
Check Point Software VPN-1 4.1 SP6
Check Point Software FireWall-1 Next Generation FP2
Check Point Software Firewall-1 4.1 SP6

- 漏洞讨论

A problem has been identified in the handling of large Certificate Request payload exchanges in Check Point VPN-1, SecuRemote, and SecureClient. Because of this, it is possible for a remote attacker to gain unauthorized access to vulnerable systems.

- 漏洞利用

ISS has reported that a working proof-of-concept has been developed. However, this proof-of-concept has not been publicly released.

- 解决方案

Check Point has stated that these versions of software are no longer supported. Affected users are advised to upgrade to the NG versions of VPN-1 Server and SecureRemote/SecureClient.

Check Point has released an alert (ISAKMP Alert) that contains pertinent details for affected customers. See referenced alert for further details.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站