Sign-up

ID

VAR-200403-0026


CVE

CVE-2004-0040


TITLE

Check Point ISAKMP vulnerable to buffer overflow via Certificate Request

Trust: 0.8

sources: CERT/CC: VU#873334

DESCRIPTION

Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet. A buffer overflow vulnerability exists in the Internet Security Association and Key Management Protocol (ISAKMP) implementation used in Check Point VPN-1, SecuRemote, and SecureClient products. An unauthenticated, remote attacker could execute arbitrary code with the privileges of the ISAKMP process, typically root or SYSTEM. Because of this, it is possible for a remote attacker to gain unauthorized access to vulnerable systems. Check Point Firewall-1 is a high-performance firewall, Checkpoint VPN-1 server and Checkpoint VPN client provide VPN access for remote client computers. The IKE component of these products allows non-directional or bi-directional authentication of two remote peers. The Checkpoint VPN-1 server and Checkpoint VPN client lack sufficient checks when handling large certificate loads. Remote attackers can exploit this vulnerability to carry out buffer overflow attacks and possibly control the firewall server with system privileges. Internet Key Exchange (IKE) is used for key negotiation and exchange during encrypted transmission or communication via VPN. The ISAKMP protocol is used for this exchange. Remote unauthenticated users trigger this vulnerability during the initial phase of IKE negotiation when various products such as VPN implementations lack sufficient bounds checks when processing ISAKMP packets containing very large certificate request payloads. Attackers do not need to interact with the target system to exploit this vulnerability, they only need to attack by sending UDP packets with forged source addresses. Successful exploitation of this vulnerability can directly control the entire firewall system

Trust: 2.7

sources: NVD: CVE-2004-0040 // CERT/CC: VU#873334 // JVNDB: JVNDB-2004-000033 // BID: 9582 // VULHUB: VHN-8470

AFFECTED PRODUCTS

vendor:checkpointmodel:vpn-1scope:eqversion:next_generation_fp1

Trust: 1.6

vendor:checkpointmodel:vpn-1scope:eqversion:4.1

Trust: 1.6

vendor:checkpointmodel:vpn-1scope:eqversion:next_generation_fp0

Trust: 1.6

vendor:checkpointmodel:firewall-1scope:eqversion:4.1

Trust: 1.6

vendor:checkpointmodel:firewall-1scope:eqversion:next_generation_fp1

Trust: 1.6

vendor:checkpointmodel:firewall-1scope:eqversion:next_generation_fp0

Trust: 1.0

vendor:check pointmodel: - scope: - version: -

Trust: 0.8

vendor:check pointmodel:vpn-1/firewall-1scope:eqversion:4.1

Trust: 0.8

vendor:check pointmodel:vpn-1/firewall-1scope:eqversion:4.1sp1

Trust: 0.8

vendor:check pointmodel:vpn-1/firewall-1scope:eqversion:4.1sp2

Trust: 0.8

vendor:check pointmodel:vpn-1/firewall-1scope:eqversion:4.1sp3

Trust: 0.8

vendor:check pointmodel:vpn-1/firewall-1scope:eqversion:4.1sp4

Trust: 0.8

vendor:check pointmodel:vpn-1/firewall-1scope:eqversion:4.1sp5

Trust: 0.8

vendor:check pointmodel:vpn-1/firewall-1scope:eqversion:ng

Trust: 0.8

vendor:check pointmodel:vpn-1/firewall-1scope:eqversion:ng fp1

Trust: 0.8

vendor:checkmodel:point software vpn-1 next generation fp1scope: - version: -

Trust: 0.3

vendor:checkmodel:point software vpn-1 next generation fp0scope: - version: -

Trust: 0.3

vendor:checkmodel:point software vpn-1 sp6scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software vpn-1 sp5ascope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software vpn-1 sp5scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software vpn-1 sp4scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software vpn-1 sp3scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software vpn-1 sp2scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software vpn-1 sp1scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software vpn-1scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software securemotescope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software securemotescope:eqversion:4.0

Trust: 0.3

vendor:checkmodel:point software secureclientscope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software secureclientscope:eqversion:4.0

Trust: 0.3

vendor:checkmodel:point software firewall-1 next generation fp1scope: - version: -

Trust: 0.3

vendor:checkmodel:point software firewall-1 next generation fp0scope: - version: -

Trust: 0.3

vendor:checkmodel:point software firewall-1 sp6scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software firewall-1 sp5ascope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software firewall-1 sp5scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software firewall-1 sp4scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software firewall-1 sp3scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software firewall-1 sp2scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software firewall-1 sp1scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software firewall-1scope:eqversion:4.1

Trust: 0.3

vendor:checkmodel:point software vpn-1 next generation fp2scope:neversion: -

Trust: 0.3

vendor:checkmodel:point software vpn-1 sp6scope:neversion:4.1

Trust: 0.3

vendor:checkmodel:point software firewall-1 next generation fp2scope:neversion: -

Trust: 0.3

vendor:checkmodel:point software firewall-1 sp6scope:neversion:4.1

Trust: 0.3

sources: CERT/CC: VU#873334 // BID: 9582 // JVNDB: JVNDB-2004-000033 // CNNVD: CNNVD-200403-005 // NVD: CVE-2004-0040

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2004-0040
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#873334
value: 5.20

Trust: 0.8

NVD: CVE-2004-0040
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200403-005
value: CRITICAL

Trust: 0.6

VULHUB: VHN-8470
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2004-0040
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-8470
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#873334 // VULHUB: VHN-8470 // JVNDB: JVNDB-2004-000033 // CNNVD: CNNVD-200403-005 // NVD: CVE-2004-0040

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2004-0040

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200403-005

TYPE

Boundary Condition Error

Trust: 0.9

sources: BID: 9582 // CNNVD: CNNVD-200403-005

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2004-000033

PATCH
title:41_isakmpurl:http://www.checkpoint.com/techsupport/alerts/41_isakmp.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2004-000033

EXTERNAL IDS
db:CERT/CCid:VU#873334
Trust: 3.3
db:NVDid:CVE-2004-0040
Trust: 2.8
db:BIDid:9582
Trust: 2.8
db:OSVDBid:3821
Trust: 1.7
db:OSVDBid:4432
Trust: 1.7
db:SECUNIAid:10795
Trust: 0.8
db:JVNDBid:JVNDB-2004-000033
Trust: 0.8
db:CNNVDid:CNNVD-200403-005
Trust: 0.7
db:XFid:14150
Trust: 0.6
db:XFid:1
Trust: 0.6
db:ISSid:20040204 CHECKPOINT VPN-1/SECURECLIENT ISAKMP BUFFER OVERFLOW
Trust: 0.6
db:CIACid:O-073
Trust: 0.6
db:BUGTRAQid:20040205 TWO CHECKPOINT FW-1/VPN-1 VULNS
Trust: 0.6
db:VULHUBid:VHN-8470
Trust: 0.1
sources:
            
            
            CERT/CC: VU#873334 // 
            
            
            
            VULHUB: VHN-8470 // 
            
            
            
            BID: 9582 // 
            
            
            
            JVNDB: JVNDB-2004-000033 // 
            
            
            
            CNNVD: CNNVD-200403-005 // 
            
            
            
            NVD: CVE-2004-0040

REFERENCES
url:http://xforce.iss.net/xforce/alerts/id/163
Trust: 3.6
url:http://www.securityfocus.com/bid/9582
Trust: 2.5
url:http://www.kb.cert.org/vuls/id/873334
Trust: 2.5
url:http://www.ciac.org/ciac/bulletins/o-073.shtml
Trust: 1.7
url:http://www.osvdb.org/3821
Trust: 1.7
url:http://www.osvdb.org/4432
Trust: 1.7
url:http://www.checkpoint.com/techsupport/alerts/41_isakmp.html
Trust: 1.1
url:http://marc.info/?l=bugtraq&m=107604682227031&w=2
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/14150
Trust: 1.1
url:http://www.checkpoint.com/corporate/iss.html
Trust: 0.8
url:http://www.ietf.org/html.charters/ipsec-charter.html
Trust: 0.8
url:http://www.ietf.org/rfc/rfc2408.txt
Trust: 0.8
url:http://www.ietf.org/rfc/rfc2409.txt
Trust: 0.8
url:http://www.ietf.org/rfc/rfc2412.txt
Trust: 0.8
url:http://www.research.ibm.com/security/skeme.ps
Trust: 0.8
url:http://www.secunia.com/advisories/10795/
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2004-0040
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2004-0040
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/14150
Trust: 0.6
url:http://marc.theaimsgroup.com/?l=bugtraq&m=107604682227031&w=2
Trust: 0.6
url:http://www.checkpoint.com/techsupport/
Trust: 0.3
url:/archive/1/352962
Trust: 0.3
sources:
            
            
            CERT/CC: VU#873334 // 
            
            
            
            VULHUB: VHN-8470 // 
            
            
            
            BID: 9582 // 
            
            
            
            JVNDB: JVNDB-2004-000033 // 
            
            
            
            CNNVD: CNNVD-200403-005 // 
            
            
            
            NVD: CVE-2004-0040

CREDITS
Mark Dowd
Neel Mehta
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200403-005

SOURCES
db:CERT/CCid:VU#873334
db:VULHUBid:VHN-8470
db:BIDid:9582
db:JVNDBid:JVNDB-2004-000033
db:CNNVDid:CNNVD-200403-005
db:NVDid:CVE-2004-0040

LAST UPDATE DATE
2024-08-14T12:31:34.693000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#873334date:2004-02-12T00:00:00
db:VULHUBid:VHN-8470date:2017-10-10T00:00:00
db:BIDid:9582date:2009-07-12T02:06:00
db:JVNDBid:JVNDB-2004-000033date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200403-005date:2006-01-03T00:00:00
db:NVDid:CVE-2004-0040date:2017-10-10T01:30:16.580

SOURCES RELEASE DATE
db:CERT/CCid:VU#873334date:2004-02-05T00:00:00
db:VULHUBid:VHN-8470date:2004-03-03T00:00:00
db:BIDid:9582date:2004-02-05T00:00:00
db:JVNDBid:JVNDB-2004-000033date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200403-005date:2004-02-09T00:00:00
db:NVDid:CVE-2004-0040date:2004-03-03T05:00:00