The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Stonesoft StoneGate Firewall

vulnerability note CVE-2012-0207

Linux kernel: denial of service via IGMP

Synthesis of the vulnerability

An attacker can send several IGMP packets, in order to stop the Linux kernel.
Impacted products: Linux, openSUSE, RHEL, StoneGate Firewall, StoneGate SSL VPN, ESX.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: intranet client.
Creation date: 10/01/2012.
Identifiers: 77853, BID-51343, CERTA-2012-AVI-479, CVE-2012-0207, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, openSUSE-SU-2012:0799-1, openSUSE-SU-2012:1439-1, RHSA-2012:0107-01, RHSA-2012:0168-01, RHSA-2012:0333-01, RHSA-2012:0350-01, RHSA-2012:0422-01, VIGILANCE-VUL-11264, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1.

Description of the vulnerability

The IGMP (Internet Group Management Protocol) protocol is used to define multicast groups. There are three versions:
 - IGMP v1 : RFC 1112
 - IGMP v2 : RFC 2236
 - IGMP v3 : RFC 3376

Routers (Querier) periodically send Membership Query packets to query the list of groups on the network. Clients have a maximal duration to reply:
 - IGMP v1 : 10 seconds
 - IGMP v2 : indicated in the MaxRespTime field of the query
 - IGMP v3 : idem, but with a different encoding

The Linux kernel memorizes the version of Queriers located on the network. So, if an IGMP v3 query is received, and if there are IGMP v2 routers, the kernel changes its behavior.

The igmp_heard_query() function of the Linux processes received queries, and starts a Timer in order to reply later (unless another client replied before). The Timer duration depends on the IGMP version. When an IGMP v3 query is received, and if there are IGMP v2 routers, the kernel uses the MaxRespTime field. However, if this field is zero, a division (modulo) by zero occurs.

An attacker can therefore send several IGMP packets, in order to stop the Linux kernel.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2010-3864

OpenSSL: code execution via TLS Extensions

Synthesis of the vulnerability

An attacker can use a TLS extension, in order to corrupt the memory of multi-threaded applications using OpenSSL and its internal caching feature.
Impacted products: ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, FreeBSD, HP Operations, Performance Center, HP-UX, AIX, Tivoli Workload Scheduler, Mandriva Linux, NetBSD, OpenBSD, OpenSolaris, OpenSSL, openSUSE, RHEL, Slackware, StoneGate Firewall, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 17/11/2010.
Identifiers: 1643316, 649304, BID-44884, c02737002, c03179825, CERTA-2002-AVI-272, CERTA-2010-AVI-555, CERTA-2011-AVI-242, CERTA-2011-AVI-294, CERTA-2012-AVI-056, CVE-2010-3864, DSA-2125-1, FEDORA-2010-17826, FEDORA-2010-17827, FEDORA-2010-17847, FreeBSD-SA-10:10.openssl, HPSBGN02740, HPSBUX02638, MDVSA-2010:238, NetBSD-SA2010-012, openSUSE-SU-2010:0965-1, openSUSE-SU-2010:0965-2, RHSA-2010:0888-01, SA68, SSA:2010-326-01, SSRT100339, SSRT100741, SUSE-SR:2010:022, VIGILANCE-VUL-10130, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

Since its version 0.9.8f, OpenSSL supports the TLS SNI (Server Name Indication) extension. It is enabled if OpenSSL is compiled with the "enable-tlsext" option (enabled by default since version 0.9.8k).

The SSL session caching feature saves sessions, to be reused later. An application can enable it with the SSL_CTX_set_session_cache_mode() function. For example, Apache httpd does not enable it.

When a multi-thread application uses OpenSSL, the ssl/t1_lib.c file does not lock the caching of TLS SNI. An attacker can therefore open two simultaneous sessions, so a double caching is tried, which corrupts the memory.

An attacker can therefore use a TLS extension, in order to corrupt the memory of multi-threaded applications using OpenSSL and its internal caching feature.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-2631

Cisco, Juniper, Microsoft, Nortel, Stonesoft: vulnerability of SSL VPN

Synthesis of the vulnerability

A weakness in the conception of some Clientless SSL VPN products can be used by an attacker in order to obtain information from other web sites visited by the victim.
Impacted products: Avaya Ethernet Routing Switch, ASA, IVE OS, Juniper SA, ISA, Nortel ESM, Nortel VPN Router, StoneGate Firewall.
Severity: 3/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: internet server.
Creation date: 09/12/2009.
Identifiers: 025367-01, 19500, 2009009920, 984744, BID-37152, CVE-2009-2631, KB15799, PSN-2009-11-580, VIGILANCE-VUL-9265, VU#261869.

Description of the vulnerability

Some VPN SSL products setup a SSL proxy where users connect with their web browser. Urls of visited web sites are then rewritten as:
  https://proxy-ssl/origin-site/page.html
So, they seem to be hosted on the https://proxy-ssl/ server.

Web browsers are conceived to partition JavaScript scripts on the domain where they come from. However, when a SSL proxy places different web sites under the same domain, this protection is bypassed, and a malicious JavaScript script can thus access to other web sites.

Some products update the source code of web pages on the fly, in order to replace JavaScript calls. However, an attacker can obfuscate his code so this change cannot be done.

A weakness in the conception of some Clientless SSL VPN products can therefore be used by an attacker in order to obtain information from other web sites visited by the victim.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2008-4609

TCP: denial of service Sockstress

Synthesis of the vulnerability

An attacker can use a small TCP Window, in order to overload a TCP server.
Impacted products: ProxyAV, ProxyRA, ProxySG par Blue Coat, SGOS by Blue Coat, VPN-1, ASA, Cisco Catalyst, IOS by Cisco, Cisco Router, BIG-IP Hardware, TMOS, Linux, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP, NLD, OES, OpenSolaris, openSUSE, Solaris, Trusted Solaris, TCP protocol, StoneGate Firewall, StoneGate IPS, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 01/10/2008.
Revisions dates: 20/10/2008, 09/09/2009.
Identifiers: 109444, 110132, 267088, 6759500, 967723, BID-31545, c01923093, CERTA-2009-ALE-017-003, cisco-sa-20090908-tcp24, cisco-sr-20081017-tcp, cpujul2012, CVE-2008-4609, FICORA #193744, HPSBMI02473, MS09-048, SA34, SA35, SA36, SA37, SA38, SA40, SA41, sk42723, sk42725, SOL10509, SOL7301, SOL9293, SSRT080138, SUSE-SA:2009:047, VIGILANCE-VUL-8139, VU#723308.

Description of the vulnerability

The "window" field of a TCP packet indicates the size of the accepted window (and thus the range) for sequence numbers of incoming packets.

According to the TCP protocol, when the system cannot receive more packets (for example if its buffers are full), it lowers the value of the "window" field. The remote host then has to send data slowly.

An attacker can therefore connect to a listening TCP service, and artificially extend the session duration, in order to overload the remote host.

The attacker can also use a "reverse syn cookies" and the TCP Timestamp option to not have to keep a state on his computer.

An attacker can therefore only use few resources on his computer, and force the usage of a lot of resources on the target. The impact of this temporary denial of service depends on the target system, and is similar to an attacker opening several real TCP sessions (excepted that his computer only uses a few resources). The attacker cannot spoof his IP address to exploit this attack.

There are several attack variants, related to the window size or to a temporary increase of window size. The VIGILANCE-VUL-8844 vulnerability can be seen as a variant.

When the attacker stops sending packets, the denial of service stops. However, some additional implementations errors (such as the Microsoft CVE-2009-1926 vulnerability of VIGILANCE-VUL-9008, or the Cisco Nexus 5000 vulnerabilities described in the solution for Cisco) cause a permanent denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2008-0166

Debian: predictable openssl randoms

Synthesis of the vulnerability

Keys generated by the openssl package of Debian 4.0 are predictable.
Impacted products: ProxySG par Blue Coat, Debian, StoneGate Firewall, StoneGate IPS.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet client.
Creation date: 13/05/2008.
Identifiers: BID-29179, CERTA-2008-AVI-239, CERTA-2008-AVI-246, CVE-2008-0166, DSA-1571-1, DSA-1576-1, DSA-1576-2, VIGILANCE-VUL-7821, VU#925211.

Description of the vulnerability

The openssl package of Debian is a modified version of OpenSSL.

However, these changes generate predictable keys.

Keys generated for following applications are potentially impacted:
 - X.509 certificates (apache, etc.)
 - DNSSEC
 - OpenVPN
 - SSH

Keys generated for following applications are not impacted:
 - GnuPG
 - GNUTLS

An attacker can therefore predict keys generated by the openssl package of Debian, in order for example to spoof the identity of a client or a server.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 6592

StoneGate FW: denial of service via SNMP

Synthesis of the vulnerability

A network attacker can send malicious SNMP queries in order to stop the firewall.
Impacted products: StoneGate Firewall.
Severity: 3/4.
Consequences: denial of service on server.
Provenance: intranet client.
Creation date: 27/02/2007.
Identifiers: VIGILANCE-VUL-6592.

Description of the vulnerability

The SNMP daemon is deactivated by default on StoneGate Firewall/VPN.

When it is activated, a network attacker can send malicious SNMP queries in order to stop the system.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.