发布时间 :2004-09-28 00:00:00
修订时间 :2016-10-17 22:41:20

[原文]Sygate Secure Enterprise (SSE) 3.5MR3 and earlier does not change the key used to encrypt data, which allows remote attackers to cause a denial of service (resource exhaustion) by capturing a session and repeatedly replaying the session.

[CNNVD]Sygate Secure Enterprise易受回放攻击漏洞(CNNVD-200409-071)

        Sygate Secure Enterprise是一款安全策略保证系统。
        Sygate Secure Enterprise没有实现任何的回放(replay)保护,远程攻击者可以利用这个漏洞发送重复请求消耗大量资源。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040810 Corsaire Security Advisory - Sygate Secure Enterprise replay issue
(VENDOR_ADVISORY)  XF  sse-replay-dos(16945)

- 漏洞信息

Sygate Secure Enterprise易受回放攻击漏洞
中危 设计错误
2004-09-28 00:00:00 2006-08-24 00:00:00
        Sygate Secure Enterprise是一款安全策略保证系统。
        Sygate Secure Enterprise没有实现任何的回放(replay)保护,远程攻击者可以利用这个漏洞发送重复请求消耗大量资源。

- 公告与补丁

        建议用户升级Sygate Secure Enterprise产品:

- 漏洞信息 (F34009)

Corsaire Security Advisory 2003-11-20.2 (PacketStormID:F34009)
2004-08-11 00:00:00
Martin O'Neal,Corsaire

Corsaire Security Advisory - Sygate Secure Enterprise versions prior to 3.5MR3 are susceptible to a replay attack that allows for resource exhaustion.

-- Corsaire Security Advisory --

Title: Sygate Secure Enterprise replay issue
Date: 20.11.03
Application: Sygate Secure Enterprise prior to 3.5MR3
Environment: Windows NT, 2000, 2003
Author: Martin O'Neal []
Audience: General distribution
Reference: c031120-002

-- Scope --

The aim of this document is to clearly define an issue that exists with 
the Sygate Secure Enterprise (SSE) product [1] that will allow a remote 
attacker to exhaust resources on the server, potentially provoking a DoS 

-- History --

Discovered: 20.11.03 (Martin O'Neal)
Vendor notified: 14.01.04
Document released: 10.8.04

-- Overview --

The Sygate Secure Enterprise (SSE) [2] provides "the necessary features 
required to scale policy management across the world's largest 
enterprises, driving individual and appropriate policies for up to 
hundreds of thousands of users". Part of this functionality is providing 
centralised logging functionality to both the Sygate Enforcer and Sygate 
Security Agent (SSA) products. 

In practise, the SSE uses HTTP to communicate with the SSA clients. 
These exchanges do not implement any form of replay protection, so an 
attacker can simply send repeated requests until all the resources on 
the host are exhausted.

-- Analysis --

The SSE product communicates with valid SSA clients via the HTTP 
protocol. These exchanges include a number of fields that are encrypted 
using a static key (that is common across all SSA clients). Some of 
these fields uniquely identify the SSA client instance, and others 
contain the actual data payload, such as log entries for centralised 
storage, or authentication sequences. 

As the key used to encrypt the data never changes, and the fields 
include no replay protection, all an attacker need do is to capture a 
valid protocol session, then replay it against the server repeatedly 
until the server exhausts all its resources.

-- Recommendations --

The SSE product should be upgraded to a version that is not susceptible 
to this issue.

-- Background --

This issue was discovered using a custom protocol analysis tool 
developed by Corsaire's security assessment team. This tool is not 
available publicly, but is an example of the specialist approach used by 
Corsaire's consultants as part of a commercial security assessment. To 
find out more about the cutting edge services provided by Corsaire 
simply visit our web site at

-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2004-0163 to this issue. This is a candidate for
inclusion in the CVE list (, which standardises
names for security problems.

-- References --


-- Revision --

a. Initial release.
b. Corrected grammatical errors.
c. Minor revisions.

-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.

-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 

Copyright 2004 Corsaire Limited. All rights reserved. 


- 漏洞信息

Sygate Secure Enterprise Protocol Session Replay DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Sygate Secure Enterprise contains a flaw that may allow a remote denial of service. The issue is a trigged by a lack of replay protection in fields and the use of static encryption keys for communication allowing the possibility of replay attacks. A remote attacker can use this to contiually replay sessions between the SSA and the Secure Enterprise Server and will result in loss of availability for the Server.

- 时间线

2004-08-10 2003-11-10
2004-08-10 Unknow

- 解决方案

Upgrade to version 3.5MR3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Sygate Secure Enterprise Remote Denial Of Service Vulnerability
Design Error 10909
Yes No
2004-08-10 12:00:00 2009-07-12 06:16:00
This vulnerability was discovered and announced by Martin O'Neal of Corsaire Security.

- 受影响的程序版本

Sygate Security Agent 4.0
Sygate Security Agent 3.5 build 2577
Sygate Security Agent 3.5 build 2576
Sygate Security Agent 3.0
Sygate Secure Enterprise 3.5 MR3
Sygate Secure Enterprise 3.5 MR1
Sygate Secure Enterprise 3.5
Sygate Secure Enterprise 3.0
Sygate Secure Enterprise 3.5 MR3

- 不受影响的程序版本

Sygate Secure Enterprise 3.5 MR3

- 漏洞讨论

Sygate Secure Enterprise is reported prone to a denial of service vulnerability. The issue is reported to exist due to the weak methods used for communication between the agents and the server.

It is reported that an attacker who can capture a valid Sygate Secure Enterprise protocol session, may replay this session continuously and in doing so exhaust resources on the Sygate Secure Enterprise server.

All versions of Sygate Secure Enterprise prior to 3.5MR3 are reported to be prone to this vulnerability.

- 漏洞利用

There is no exploit required.

- 解决方案

It is reported that the vendor has released an upgrade to address this issue. Customers are advised to contact the vendor for details regarding obtaining and applying this upgrade.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考