exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IRM Security Advisory 11

IRM Security Advisory 11
Posted Apr 18, 2005
Authored by IRM Research, IRM Advisories | Site irmplc.com

IRM Security Advisory 011 - Sygate Security Agent (Sygate Secure Enterprise) Denial of Service - A flaw in the policy management component allows malicious users to configure the firewall to use a nonexistent policy, thereby causing a Denial of Service condition.

tags | advisory, denial of service
SHA-256 | 72d952c4b7b042946ac30effd501092f3529e35e766c45c48cb4373b4981cc38

IRM Security Advisory 11

Change Mirror Download
IRM Security Advisory No. 011

Sygate Security Agent (Sygate Secure Enterprise) Denial of Service

Problem Discovered: January 24th 2005
Vendor contacted: March 8th 2005
Advisory published: April 11th 2005


Abstract
--------
Sygate Secure Enterprise includes a Security Agent (SSA) that runs on a
client system as one of its components alongside policy management and
enforcement servers inside a network.

The Sygate Agent incorporates a 'stateful' firewall, where it applies a
rule-based security policy and controls application usage. The agent
also has an intrusion prevention engine which can detect port scanning
and different types of known attacks. Additionally, it can verify the
security status of a client including the status of executables,
Anti-Virus, firewall, et al.

During a recent security assessment of a laptop build, IRM identified a
security issue associated with SSA. A non-privileged user is able to
export the security policy file and make a simple modification. The file
can then be imported back, which results in the agent 'failing open' on
next restart.

Description
-----------
The SSA security policy file is an XML file which could be exported by a
non-privileged user and then imported back. It is therefore possible to
change certain settings in the policy file including trusted IP
addresses, or DNS names for instance. Additionally, it is possible to
modify the name of the default policy location to a non-existing one.
When SSA is closed gracefully during system shutdown, the imported
policy is saved and also copied to the backup, resulting in both
policies having an inexistent 'DefaultLocation'. When SSA starts up
again, the policy is loaded and upon switching to the DefaultLocation it
throws an exception and fails.

Affected Versions
-----------------
SSA running in 'Server Control' or 'Power User' Modes:

* SSA version 3.5
* SSA version 4.0
* SSA version 4.1

Unaffected Versions
-------------------

* SSA in client mode (any version)
* Sygate Personal Firewall (Standard and Pro versions)

Vendor & Patch Information
--------------------------
Sygate were contacted and immediately started investigating the issue.
When the vulnerability was confirmed, a new build was released. Users
are required to upgrade to the latest builds for each version:

* SSA3.5 build 2580
* SSA4.0 build 2715
* SSA4.1 build 2827

These are available from Sygate's website (http://www.sygate.com).

Workarounds
-----------
Enable password protection for SSA export/import function (this is not
the default setting for SSA running in 'Server Control' or 'Power User'
Modes).

Credits
-------
Research & Advisory: Mazin Faour.

Disclaimer
----------
All information in this advisory is provided on an 'as is' basis in the
hope that it will be useful. Information Risk Management Plc is not
responsible for any risks or occurrences caused by the application of
this information.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close