The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Stonesoft StoneGate SSL VPN

computer vulnerability announce 13217

Stonesoft SSL VPN: redirection

Synthesis of the vulnerability

An attacker can use the web site of Stonesoft SSL VPN, in order to deceive the victim, and to redirect him to a malicious web site.
Impacted products: StoneGate SSL VPN.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: document.
Creation date: 06/08/2013.
Identifiers: VIGILANCE-VUL-13217.

Description of the vulnerability

The Stonesoft SSL VPN product offers a web site. Urls of this site start by the server name, and users thus trust these urls.

This web site has a redirection feature. However, this feature accepts to redirect to any external site. The victim can thus click on a link starting by the server name, and then be redirected to a malicious site.

An attacker can therefore use the web site of Stonesoft SSL VPN, in order to deceive the victim, and to redirect him to a malicious web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2012-0207

Linux kernel: denial of service via IGMP

Synthesis of the vulnerability

An attacker can send several IGMP packets, in order to stop the Linux kernel.
Impacted products: Linux, openSUSE, RHEL, StoneGate Firewall, StoneGate SSL VPN, ESX.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: intranet client.
Creation date: 10/01/2012.
Identifiers: 77853, BID-51343, CERTA-2012-AVI-479, CVE-2012-0207, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, openSUSE-SU-2012:0799-1, openSUSE-SU-2012:1439-1, RHSA-2012:0107-01, RHSA-2012:0168-01, RHSA-2012:0333-01, RHSA-2012:0350-01, RHSA-2012:0422-01, VIGILANCE-VUL-11264, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1.

Description of the vulnerability

The IGMP (Internet Group Management Protocol) protocol is used to define multicast groups. There are three versions:
 - IGMP v1 : RFC 1112
 - IGMP v2 : RFC 2236
 - IGMP v3 : RFC 3376

Routers (Querier) periodically send Membership Query packets to query the list of groups on the network. Clients have a maximal duration to reply:
 - IGMP v1 : 10 seconds
 - IGMP v2 : indicated in the MaxRespTime field of the query
 - IGMP v3 : idem, but with a different encoding

The Linux kernel memorizes the version of Queriers located on the network. So, if an IGMP v3 query is received, and if there are IGMP v2 routers, the kernel changes its behavior.

The igmp_heard_query() function of the Linux processes received queries, and starts a Timer in order to reply later (unless another client replied before). The Timer duration depends on the IGMP version. When an IGMP v3 query is received, and if there are IGMP v2 routers, the kernel uses the MaxRespTime field. However, if this field is zero, a division (modulo) by zero occurs.

An attacker can therefore send several IGMP packets, in order to stop the Linux kernel.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 11059

StoneGate SSL VPN: authentication via a third party certificate

Synthesis of the vulnerability

An attacker with a certificate, but without its associated private key, can authenticate on StoneGate SSL VPN.
Impacted products: StoneGate SSL VPN.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 12/10/2011.
Identifiers: VIGILANCE-VUL-11059.

Description of the vulnerability

The StoneGate SSL VPN product provides a remote access to users. It supports several client authentication methods, such as an authentication using X.509 certificates.

Each user owns a private key, and a public key which is signed by a certification authority and becomes a certificate. The StoneGate SSL VPN product is then configured to only accept certificates signed by this certification authority.

When a SSL tunnel is established, if the client has a certificate, messages are added to the SSL protocol:
 - the client sends the message Certificate containing his X.509 certificate
 - the client sends the message CertificateVerify which is a signature of previous messages by his private key
The server then validates CertificateVerify using the public key of the certificate, in order to ensure that the client has the private key.

However, StoneGate SSL VPN does not check this message.

An attacker with a certificate (signed by the trusted certification authority), but without its associated private key, can therefore authenticate on StoneGate SSL VPN.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.