Details of VAR-200412-0107

ID

VAR-200412-0107

CVE

CVE-2004-0369

TITLE

Entrust LibKMP ISAKMP Library Remote IPsec/ISAKMP Buffer Overflow Vulnerability

Trust: 0.9

sources: BID: 11039 // CNNVD: CNNVD-200412-576

DESCRIPTION

Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec Enterprise Firewall 7.0 through 8.0, Gateway Security 5300 1.0, Gateway Security 5400 2.0, and VelociRaptor 1.5, allows remote attackers to execute arbitrary code via a crafted ISAKMP payload. The Entrust LibKMP ISAKMP library is reported to be affected by a remote buffer overflow vulnerability. Malicious ISAKMP packets may trigger a buffer overrun in the affected library resulting in the corruption of process memory. Although unconfirmed, it is conjectured that this vulnerability may be related to the vulnerability described in BID 10273, as Checkpoint VPN-1 may use the affected library. The Entrust LibKmp ISAKMP library is used by multiple VPN vendors to exchange IKE keys for IPSEC-based VPN products. libKmp handles all incoming ISAKMP packets, this library is also used to authenticate and check the processing of incoming requests. The Entrust LibKmp ISAKMP library does not correctly verify incoming ISAKMP packets when implementing the IKE key exchange protocol. Entrust\'\'s LibKmp library is provided by the vendor to third parties to handle the exchange of IKE keys. This library is used in several enterprise firewall VPN products. Entrust\'\'s LibKmp library is fully checked for handling ISAKMP payloads and sizes. But the proposal payload embedded in the main SA payload is not properly filtered. The code that handles these loads has a flaw that can lead to memory corruption, a heap overflow. An attacker exploits this vulnerability to send malicious ISAKMP packets, which can cause the VPN component to crash, and carefully constructed and submitted data may execute arbitrary instructions on the system with process privileges. Product: Symantec Gateway Security 2.0 - Model 5400 Series Copyright \xa9 2004 Symantec Corporation August, 2004 ************************************************************************************ Hotfix: SG8000-20040715-00 - Entrust updates ************************************************************************************ This document contains the following information about the Symantec Gateway Security 2.0 - Model 5400 Series: * Prerequisites * Included modules * Fix description * Installation instructions * Uninstallation instructions ************************************************************************************ Prerequisites: HB8000-20031023-00 - December 2003 patch SG8000-20040405-00 - April 2004 patch ************************************************************************************ Included modules: isakmpd libEntrust.so libkmp.so ************************************************************************************ Fix description: Corrects problem with Denial of Service attack reported against isakmpd in CAN-2004-0369. ************************************************************************************ Installation instructions: The April 2004 patch must be installed prior to installing this hotfix. To install the patch 1. Download the entrust-sgs20.tgz file to a location that is accessible from the Security Gateway Management Interface (SGMI). 2. In the SGMI, on the Action menu, click HotFix. 3. In the left pane of the Hotfix Management window, click Install hotfix. 4. In the right pane of the Hotfix Management window, click Browse. 5. In the Choose file dialog box, browse to and select the entrust-sgs20.tgz file, and then click Open. 6. In the right pane of the Hotfix Management window, click Install. 7. Wait until a message appears in the right pane of the Hotfix Management window. (Note: there is no visible indication of activity.) 8. If the message includes a "Restart" link, click the link and wait until the "Security gateway is restarting" message appears. 9. Close the Hotfix Management window. ************************************************************************************ Uninstallation instructions: To uninstall the patch 1. In the SGMI, on the Action menu, click HotFix. 2. In the left pane of the Hotfix Management window, click Uninstall hotfix. 3. In the right pane of the Hotfix Management window, click the radio button next to hotfix ID SG8000-20040715-00. 4. In the right pane of the Hotfix Management window, click Uninstall. 5. Wait until a message appears in the right pane of the Hotfix Management window. (Note: there is no visible indication of activity.) 6. If the message includes a "Restart" link, click the link and wait until the "Security gateway is restarting" message appears. 7. Close the Hotfix Management window. ************************************************************************************ . Connect to Symantec Gateway Security (SGS) using the SRMC. Connect to the VelociRaptor using the SRMC. Right-click the VelociRaptor icon. Browse to the location of the *.tgz file. Select Open to load the patch. Answer "No" when asked if you want to reboot the system. Connect to the VelociRaptor using the SRMC. Right-click the VelociRaptor. Select All Tasks > SRL Client. Log into the system. Type: cd /usr/vr/hotfixes/SG7004-20040715-00 and press Enter. Type: ./Uninstall and press Enter

Trust: 2.25

sources: NVD: CVE-2004-0369 // JVNDB: JVNDB-2004-000340 // BID: 11039 // VULHUB: VHN-8799 // PACKETSTORM: 34156 // PACKETSTORM: 34155 // PACKETSTORM: 34154

AFFECTED PRODUCTS

vendor:	symantec	model:	enterprise firewall	scope:	eq	version:	7.0.4	Trust: 2.4
vendor:	symantec	model:	enterprise firewall	scope:	eq	version:	8.0	Trust: 2.4
vendor:	symantec	model:	velociraptor	scope:	eq	version:	1.5	Trust: 1.9
vendor:	symantec	model:	enterprise firewall	scope:	eq	version:	7.0	Trust: 1.8
vendor:	symantec	model:	gateway security 5300	scope:	eq	version:	1.0	Trust: 1.6
vendor:	symantec	model:	gateway security 5400	scope:	eq	version:	2.0	Trust: 1.6
vendor:	entrust	model:	libkmp isakmp library	scope:	eq	version:	*	Trust: 1.0
vendor:	symantec	model:	gateway security	scope:	eq	version:	5440	Trust: 0.3
vendor:	symantec	model:	gateway security	scope:	eq	version:	5300	Trust: 0.3
vendor:	symantec	model:	gateway security	scope:	eq	version:	52001.0	Trust: 0.3
vendor:	symantec	model:	gateway security	scope:	eq	version:	51101.0	Trust: 0.3
vendor:	symantec	model:	gateway security 360r	scope:	-	version:	-	Trust: 0.3
vendor:	symantec	model:	enterprise firewall solaris	scope:	eq	version:	7.0.4	Trust: 0.3
vendor:	symantec	model:	enterprise firewall nt/2000	scope:	eq	version:	7.0.4	Trust: 0.3
vendor:	symantec	model:	enterprise firewall solaris	scope:	eq	version:	7.0	Trust: 0.3
vendor:	symantec	model:	enterprise firewall nt/2000	scope:	eq	version:	7.0	Trust: 0.3
vendor:	entrust	model:	libkmp isakmp library	scope:	-	version:	-	Trust: 0.3

sources: BID: 11039 // JVNDB: JVNDB-2004-000340 // CNNVD: CNNVD-200412-576 // NVD: CVE-2004-0369

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2004-0369
value:	HIGH
Trust: 1.0
NVD:	CVE-2004-0369
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200412-576
value:	HIGH
Trust: 0.6
VULHUB:	VHN-8799
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2004-0369
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-8799
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-8799 // JVNDB: JVNDB-2004-000340 // CNNVD: CNNVD-200412-576 // NVD: CVE-2004-0369

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2004-0369

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200412-576

TYPE

Boundary Condition Error

Trust: 0.9

sources: BID: 11039 // CNNVD: CNNVD-200412-576

CONFIGURATIONS

sources: JVNDB: JVNDB-2004-000340

PATCH

title:	SYM04-012	url:	http://securityresponse.symantec.com/avcenter/security/Content/2004.08.26.html	Trust: 0.8
title:	SYM04-012	url:	http://www.symantec.com/region/jp/sarcj/security/content/2004.08.26.html	Trust: 0.8

sources: JVNDB: JVNDB-2004-000340

EXTERNAL IDS

db:	NVD	id:	CVE-2004-0369	Trust: 3.1
db:	BID	id:	11039	Trust: 2.8
db:	AUSCERT	id:	ESB-2004.0538	Trust: 1.7
db:	SECUNIA	id:	12371	Trust: 0.8
db:	JVNDB	id:	JVNDB-2004-000340	Trust: 0.8
db:	CNNVD	id:	CNNVD-200412-576	Trust: 0.7
db:	ISS	id:	20040826 ENTRUST LIBKMP LIBRARY BUFFER OVERFLOW	Trust: 0.6
db:	CIAC	id:	O-206	Trust: 0.6
db:	XF	id:	15669	Trust: 0.6
db:	NSFOCUS	id:	6852	Trust: 0.6
db:	PACKETSTORM	id:	34156	Trust: 0.2
db:	PACKETSTORM	id:	34155	Trust: 0.2
db:	PACKETSTORM	id:	34154	Trust: 0.2
db:	VULHUB	id:	VHN-8799	Trust: 0.1

sources: VULHUB: VHN-8799 // BID: 11039 // JVNDB: JVNDB-2004-000340 // PACKETSTORM: 34156 // PACKETSTORM: 34155 // PACKETSTORM: 34154 // CNNVD: CNNVD-200412-576 // NVD: CVE-2004-0369

REFERENCES

url:	http://xforce.iss.net/xforce/alerts/id/181	Trust: 2.8
url:	http://www.securityfocus.com/bid/11039	Trust: 2.5
url:	http://securityresponse.symantec.com/avcenter/security/content/2004.08.26.html	Trust: 2.0
url:	http://www.auscert.org.au/render.html?it=4339	Trust: 1.7
url:	http://www.ciac.org/ciac/bulletins/o-206.shtml	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/15669	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2004-0369	Trust: 0.8
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2004-0369	Trust: 0.8
url:	http://secunia.com/advisories/12371/	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/15669	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/6852	Trust: 0.6
url:	https://www.entrust.com/trustedcare/troubleshooting/bulletins.htm	Trust: 0.3
url:	http://enterprisesecurity.symantec.com/products/products.cfm?productid=342&eid=0	Trust: 0.3
url:	ftp://ftp.symantec.com/public/updates/entrust-70w-readme.txt	Trust: 0.3
url:	ftp://ftp.symantec.com/public/updates/entrust-70s-readme.txt	Trust: 0.3
url:	ftp://ftp.symantec.com/public/updates/entrust-704s-readme.txt	Trust: 0.3
url:	ftp://ftp.symantec.com/public/updates/entrust-704w-readme.txt	Trust: 0.3
url:	http://enterprisesecurity.symantec.com/products/products.cfm?productid=47	Trust: 0.3
url:	ftp://ftp.symantec.com/public/updates/entrust-sgs10-readme.txt	Trust: 0.3
url:	ftp://ftp.symantec.com/public/updates/entrust-sgs20-readme.txt	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2004-0369	Trust: 0.3

CREDITS

Mark Dowd Neel Mehta

Trust: 0.6

sources: CNNVD: CNNVD-200412-576

SOURCES

db:	VULHUB	id:	VHN-8799
db:	BID	id:	11039
db:	JVNDB	id:	JVNDB-2004-000340
db:	PACKETSTORM	id:	34156
db:	PACKETSTORM	id:	34155
db:	PACKETSTORM	id:	34154
db:	CNNVD	id:	CNNVD-200412-576
db:	NVD	id:	CVE-2004-0369

LAST UPDATE DATE

2024-08-14T14:08:57.818000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-8799	date:	2017-07-11T00:00:00
db:	BID	id:	11039	date:	2009-07-12T06:17:00
db:	JVNDB	id:	JVNDB-2004-000340	date:	2007-04-01T00:00:00
db:	CNNVD	id:	CNNVD-200412-576	date:	2005-10-20T00:00:00
db:	NVD	id:	CVE-2004-0369	date:	2017-07-11T01:30:06.557

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-8799	date:	2004-12-31T00:00:00
db:	BID	id:	11039	date:	2004-08-25T00:00:00
db:	JVNDB	id:	JVNDB-2004-000340	date:	2007-04-01T00:00:00
db:	PACKETSTORM	id:	34156	date:	2004-08-26T20:10:18
db:	PACKETSTORM	id:	34155	date:	2004-08-26T20:09:14
db:	PACKETSTORM	id:	34154	date:	2004-08-26T20:07:58
db:	CNNVD	id:	CNNVD-200412-576	date:	2004-08-26T00:00:00
db:	NVD	id:	CVE-2004-0369	date:	2004-12-31T05:00:00