CVE-2004-0163
CVSS5.0
发布时间 :2004-09-28 00:00:00
修订时间 :2016-10-17 22:41:20
NMCOPS    

[原文]Sygate Secure Enterprise (SSE) 3.5MR3 and earlier does not change the key used to encrypt data, which allows remote attackers to cause a denial of service (resource exhaustion) by capturing a session and repeatedly replaying the session.


[CNNVD]Sygate Secure Enterprise易受回放攻击漏洞(CNNVD-200409-071)

        
        Sygate Secure Enterprise是一款安全策略保证系统。
        Sygate Secure Enterprise没有实现任何的回放(replay)保护,远程攻击者可以利用这个漏洞发送重复请求消耗大量资源。
        SSE产品通过HTTP协议也合法SSA客户端通信。这些交换包括使用静态KEY加密的多个字段数据。部分数据唯一识别SSA客户端实例,其他则是实际的数据负载。由于用户加密数据的KEY没有交换,并且字段数据没有任何回放保护,所以攻击者可以获取合法的协议会话。因此攻击者可以重复回放这些请求导致服务器资源耗竭,造成拒绝服务。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0163
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0163
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200409-071
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109215685731675&w=2
(UNKNOWN)  BUGTRAQ  20040810 Corsaire Security Advisory - Sygate Secure Enterprise replay issue
http://www.corsaire.com/advisories/c031120-002.txt
(VENDOR_ADVISORY)  MISC  http://www.corsaire.com/advisories/c031120-002.txt
http://xforce.iss.net/xforce/xfdb/16945
(VENDOR_ADVISORY)  XF  sse-replay-dos(16945)

- 漏洞信息

Sygate Secure Enterprise易受回放攻击漏洞
中危 设计错误
2004-09-28 00:00:00 2006-08-24 00:00:00
远程  
        
        Sygate Secure Enterprise是一款安全策略保证系统。
        Sygate Secure Enterprise没有实现任何的回放(replay)保护,远程攻击者可以利用这个漏洞发送重复请求消耗大量资源。
        SSE产品通过HTTP协议也合法SSA客户端通信。这些交换包括使用静态KEY加密的多个字段数据。部分数据唯一识别SSA客户端实例,其他则是实际的数据负载。由于用户加密数据的KEY没有交换,并且字段数据没有任何回放保护,所以攻击者可以获取合法的协议会话。因此攻击者可以重复回放这些请求导致服务器资源耗竭,造成拒绝服务。
        

- 公告与补丁

        厂商补丁:
        Sygate
        ------
        建议用户升级Sygate Secure Enterprise产品:
        
        http://www.sygate.com/products/universal_enforcement.htm

- 漏洞信息 (F34009)

Corsaire Security Advisory 2003-11-20.2 (PacketStormID:F34009)
2004-08-11 00:00:00
Martin O'Neal,Corsaire  corsaire.com
advisory
CVE-2004-0163
[点击下载]

Corsaire Security Advisory - Sygate Secure Enterprise versions prior to 3.5MR3 are susceptible to a replay attack that allows for resource exhaustion.

-- Corsaire Security Advisory --

Title: Sygate Secure Enterprise replay issue
Date: 20.11.03
Application: Sygate Secure Enterprise prior to 3.5MR3
Environment: Windows NT, 2000, 2003
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c031120-002


-- Scope --

The aim of this document is to clearly define an issue that exists with 
the Sygate Secure Enterprise (SSE) product [1] that will allow a remote 
attacker to exhaust resources on the server, potentially provoking a DoS 
condition. 


-- History --

Discovered: 20.11.03 (Martin O'Neal)
Vendor notified: 14.01.04
Document released: 10.8.04


-- Overview --

The Sygate Secure Enterprise (SSE) [2] provides "the necessary features 
required to scale policy management across the world's largest 
enterprises, driving individual and appropriate policies for up to 
hundreds of thousands of users". Part of this functionality is providing 
centralised logging functionality to both the Sygate Enforcer and Sygate 
Security Agent (SSA) products. 

In practise, the SSE uses HTTP to communicate with the SSA clients. 
These exchanges do not implement any form of replay protection, so an 
attacker can simply send repeated requests until all the resources on 
the host are exhausted.


-- Analysis --

The SSE product communicates with valid SSA clients via the HTTP 
protocol. These exchanges include a number of fields that are encrypted 
using a static key (that is common across all SSA clients). Some of 
these fields uniquely identify the SSA client instance, and others 
contain the actual data payload, such as log entries for centralised 
storage, or authentication sequences. 

As the key used to encrypt the data never changes, and the fields 
include no replay protection, all an attacker need do is to capture a 
valid protocol session, then replay it against the server repeatedly 
until the server exhausts all its resources.


-- Recommendations --

The SSE product should be upgraded to a version that is not susceptible 
to this issue.


-- Background --

This issue was discovered using a custom protocol analysis tool 
developed by Corsaire's security assessment team. This tool is not 
available publicly, but is an example of the specialist approach used by 
Corsaire's consultants as part of a commercial security assessment. To 
find out more about the cutting edge services provided by Corsaire 
simply visit our web site at http://www.corsaire.com


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2004-0163 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardises
names for security problems.


-- References --

[1] http://www.sygate.com
[2] http://www.sygate.com/products/enterprise_policy_management.htm


-- Revision --

a. Initial release.
b. Corrected grammatical errors.
c. Minor revisions.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2004 Corsaire Limited. All rights reserved. 



    

- 漏洞信息

8524
Sygate Secure Enterprise Protocol Session Replay DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Sygate Secure Enterprise contains a flaw that may allow a remote denial of service. The issue is a trigged by a lack of replay protection in fields and the use of static encryption keys for communication allowing the possibility of replay attacks. A remote attacker can use this to contiually replay sessions between the SSA and the Secure Enterprise Server and will result in loss of availability for the Server.

- 时间线

2004-08-10 2003-11-10
2004-08-10 Unknow

- 解决方案

Upgrade to version 3.5MR3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Sygate Secure Enterprise Remote Denial Of Service Vulnerability
Design Error 10909
Yes No
2004-08-10 12:00:00 2009-07-12 06:16:00
This vulnerability was discovered and announced by Martin O'Neal of Corsaire Security.

- 受影响的程序版本

Sygate Security Agent 4.0
Sygate Security Agent 3.5 build 2577
Sygate Security Agent 3.5 build 2576
Sygate Security Agent 3.0
Sygate Secure Enterprise 3.5 MR3
Sygate Secure Enterprise 3.5 MR1
Sygate Secure Enterprise 3.5
Sygate Secure Enterprise 3.0
Sygate Secure Enterprise 3.5 MR3

- 不受影响的程序版本

Sygate Secure Enterprise 3.5 MR3

- 漏洞讨论

Sygate Secure Enterprise is reported prone to a denial of service vulnerability. The issue is reported to exist due to the weak methods used for communication between the agents and the server.

It is reported that an attacker who can capture a valid Sygate Secure Enterprise protocol session, may replay this session continuously and in doing so exhaust resources on the Sygate Secure Enterprise server.

All versions of Sygate Secure Enterprise prior to 3.5MR3 are reported to be prone to this vulnerability.

- 漏洞利用

There is no exploit required.

- 解决方案

It is reported that the vendor has released an upgrade to address this issue. Customers are advised to contact the vendor for details regarding obtaining and applying this upgrade.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站