var-200412-0107
Vulnerability from variot
Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec Enterprise Firewall 7.0 through 8.0, Gateway Security 5300 1.0, Gateway Security 5400 2.0, and VelociRaptor 1.5, allows remote attackers to execute arbitrary code via a crafted ISAKMP payload. The Entrust LibKMP ISAKMP library is reported to be affected by a remote buffer overflow vulnerability. Malicious ISAKMP packets may trigger a buffer overrun in the affected library resulting in the corruption of process memory. Although unconfirmed, it is conjectured that this vulnerability may be related to the vulnerability described in BID 10273, as Checkpoint VPN-1 may use the affected library. The Entrust LibKmp ISAKMP library is used by multiple VPN vendors to exchange IKE keys for IPSEC-based VPN products. libKmp handles all incoming ISAKMP packets, this library is also used to authenticate and check the processing of incoming requests. The Entrust LibKmp ISAKMP library does not correctly verify incoming ISAKMP packets when implementing the IKE key exchange protocol. Entrust\'\'s LibKmp library is provided by the vendor to third parties to handle the exchange of IKE keys. This library is used in several enterprise firewall VPN products. Entrust\'\'s LibKmp library is fully checked for handling ISAKMP payloads and sizes. But the proposal payload embedded in the main SA payload is not properly filtered. The code that handles these loads has a flaw that can lead to memory corruption, a heap overflow. An attacker exploits this vulnerability to send malicious ISAKMP packets, which can cause the VPN component to crash, and carefully constructed and submitted data may execute arbitrary instructions on the system with process privileges. Product: Symantec Gateway Security 2.0 - Model 5400 Series
Copyright \xa9 2004 Symantec Corporation August, 2004
Hotfix: SG8000-20040715-00 - Entrust updates
This document contains the following information about the Symantec Gateway Security 2.0 - Model 5400 Series:
- Prerequisites
- Included modules
- Fix description
- Installation instructions
- Uninstallation instructions
Prerequisites:
HB8000-20031023-00 - December 2003 patch SG8000-20040405-00 - April 2004 patch
Included modules:
isakmpd libEntrust.so libkmp.so
Fix description:
Corrects problem with Denial of Service attack reported against isakmpd in CAN-2004-0369.
Installation instructions:
The April 2004 patch must be installed prior to installing this hotfix.
To install the patch
- Download the entrust-sgs20.tgz file to a location that is accessible from the Security Gateway Management Interface (SGMI).
- In the SGMI, on the Action menu, click HotFix.
- In the left pane of the Hotfix Management window, click Install hotfix.
- In the right pane of the Hotfix Management window, click Browse.
- In the Choose file dialog box, browse to and select the entrust-sgs20.tgz file, and then click Open.
- In the right pane of the Hotfix Management window, click Install.
- Wait until a message appears in the right pane of the Hotfix Management window. (Note: there is no visible indication of activity.)
- If the message includes a "Restart" link, click the link and wait until the "Security gateway is restarting" message appears.
- Close the Hotfix Management window.
Uninstallation instructions:
To uninstall the patch
- In the SGMI, on the Action menu, click HotFix.
- In the left pane of the Hotfix Management window, click Uninstall hotfix.
- In the right pane of the Hotfix Management window, click the radio button next to hotfix ID SG8000-20040715-00.
- In the right pane of the Hotfix Management window, click Uninstall.
- Wait until a message appears in the right pane of the Hotfix Management window. (Note: there is no visible indication of activity.)
- If the message includes a "Restart" link, click the link and wait until the "Security gateway is restarting" message appears.
- Close the Hotfix Management window.
. Connect to Symantec Gateway Security (SGS) using the SRMC. Connect to the VelociRaptor using the SRMC. Right-click the VelociRaptor icon. Browse to the location of the *.tgz file. Select Open to load the patch. Answer "No" when asked if you want to reboot the system. Connect to the VelociRaptor using the SRMC. Right-click the VelociRaptor. Select All Tasks > SRL Client. Log into the system. Type: cd /usr/vr/hotfixes/SG7004-20040715-00 and press Enter. Type: ./Uninstall and press Enter
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "enterprise firewall",
"scope": "eq",
"trust": 2.4,
"vendor": "symantec",
"version": "7.0.4"
},
{
"_id": null,
"model": "enterprise firewall",
"scope": "eq",
"trust": 2.4,
"vendor": "symantec",
"version": "8.0"
},
{
"_id": null,
"model": "velociraptor",
"scope": "eq",
"trust": 1.9,
"vendor": "symantec",
"version": "1.5"
},
{
"_id": null,
"model": "enterprise firewall",
"scope": "eq",
"trust": 1.8,
"vendor": "symantec",
"version": "7.0"
},
{
"_id": null,
"model": "gateway security 5300",
"scope": "eq",
"trust": 1.6,
"vendor": "symantec",
"version": "1.0"
},
{
"_id": null,
"model": "gateway security 5400",
"scope": "eq",
"trust": 1.6,
"vendor": "symantec",
"version": "2.0"
},
{
"_id": null,
"model": "libkmp isakmp library",
"scope": "eq",
"trust": 1.0,
"vendor": "entrust",
"version": "*"
},
{
"_id": null,
"model": "gateway security",
"scope": "eq",
"trust": 0.3,
"vendor": "symantec",
"version": "5440"
},
{
"_id": null,
"model": "gateway security",
"scope": "eq",
"trust": 0.3,
"vendor": "symantec",
"version": "5300"
},
{
"_id": null,
"model": "gateway security",
"scope": "eq",
"trust": 0.3,
"vendor": "symantec",
"version": "52001.0"
},
{
"_id": null,
"model": "gateway security",
"scope": "eq",
"trust": 0.3,
"vendor": "symantec",
"version": "51101.0"
},
{
"_id": null,
"model": "gateway security 360r",
"scope": null,
"trust": 0.3,
"vendor": "symantec",
"version": null
},
{
"_id": null,
"model": "enterprise firewall solaris",
"scope": "eq",
"trust": 0.3,
"vendor": "symantec",
"version": "7.0.4"
},
{
"_id": null,
"model": "enterprise firewall nt/2000",
"scope": "eq",
"trust": 0.3,
"vendor": "symantec",
"version": "7.0.4"
},
{
"_id": null,
"model": "enterprise firewall solaris",
"scope": "eq",
"trust": 0.3,
"vendor": "symantec",
"version": "7.0"
},
{
"_id": null,
"model": "enterprise firewall nt/2000",
"scope": "eq",
"trust": 0.3,
"vendor": "symantec",
"version": "7.0"
},
{
"_id": null,
"model": "libkmp isakmp library",
"scope": null,
"trust": 0.3,
"vendor": "entrust",
"version": null
}
],
"sources": [
{
"db": "BID",
"id": "11039"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000340"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-576"
},
{
"db": "NVD",
"id": "CVE-2004-0369"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:symantec:enterprise_firewall",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2004-000340"
}
]
},
"credits": {
"_id": null,
"data": "Mark Dowd\nNeel Mehta",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200412-576"
}
],
"trust": 0.6
},
"cve": "CVE-2004-0369",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2004-0369",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-8799",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2004-0369",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2004-0369",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200412-576",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-8799",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-8799"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000340"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-576"
},
{
"db": "NVD",
"id": "CVE-2004-0369"
}
]
},
"description": {
"_id": null,
"data": "Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec Enterprise Firewall 7.0 through 8.0, Gateway Security 5300 1.0, Gateway Security 5400 2.0, and VelociRaptor 1.5, allows remote attackers to execute arbitrary code via a crafted ISAKMP payload. The Entrust LibKMP ISAKMP library is reported to be affected by a remote buffer overflow vulnerability. Malicious ISAKMP packets may trigger a buffer overrun in the affected library resulting in the corruption of process memory. \nAlthough unconfirmed, it is conjectured that this vulnerability may be related to the vulnerability described in BID 10273, as Checkpoint VPN-1 may use the affected library. The Entrust LibKmp ISAKMP library is used by multiple VPN vendors to exchange IKE keys for IPSEC-based VPN products. libKmp handles all incoming ISAKMP packets, this library is also used to authenticate and check the processing of incoming requests. The Entrust LibKmp ISAKMP library does not correctly verify incoming ISAKMP packets when implementing the IKE key exchange protocol. Entrust\\\u0027\\\u0027s LibKmp library is provided by the vendor to third parties to handle the exchange of IKE keys. This library is used in several enterprise firewall VPN products. Entrust\\\u0027\\\u0027s LibKmp library is fully checked for handling ISAKMP payloads and sizes. But the proposal payload embedded in the main SA payload is not properly filtered. The code that handles these loads has a flaw that can lead to memory corruption, a heap overflow. An attacker exploits this vulnerability to send malicious ISAKMP packets, which can cause the VPN component to crash, and carefully constructed and submitted data may execute arbitrary instructions on the system with process privileges. \nProduct: Symantec Gateway Security 2.0 - Model 5400 Series\t\n\nCopyright \\xa9 2004 Symantec Corporation August, 2004\n************************************************************************************\nHotfix: SG8000-20040715-00 - Entrust updates\n\n************************************************************************************\nThis document contains the following information about the Symantec Gateway Security\n2.0 - Model 5400 Series:\n\n* Prerequisites\n* Included modules\n* Fix description\n* Installation instructions\n* Uninstallation instructions\n\n************************************************************************************\nPrerequisites:\n\nHB8000-20031023-00 - December 2003 patch\nSG8000-20040405-00 - April 2004 patch\n\n************************************************************************************\nIncluded modules:\n\nisakmpd\nlibEntrust.so\nlibkmp.so\n \n************************************************************************************\nFix description:\n\nCorrects problem with Denial of Service attack reported against isakmpd in \nCAN-2004-0369. \n\n************************************************************************************\nInstallation instructions:\n\nThe April 2004 patch must be installed prior to installing this hotfix. \n\nTo install the patch\n\n1. Download the entrust-sgs20.tgz file to a location that is accessible from \n the Security Gateway Management Interface (SGMI). \n2. In the SGMI, on the Action menu, click HotFix. \n3. In the left pane of the Hotfix Management window, click Install hotfix. \n4. In the right pane of the Hotfix Management window, click Browse. \n5. In the Choose file dialog box, browse to and select the entrust-sgs20.tgz file,\n and then click Open. \n6. In the right pane of the Hotfix Management window, click Install. \n7. Wait until a message appears in the right pane of the Hotfix Management window. \n (Note: there is no visible indication of activity.)\n8. If the message includes a \"Restart\" link, click the link and wait until the\n \"Security gateway is restarting\" message appears. \n9. Close the Hotfix Management window. \n\n\n************************************************************************************\nUninstallation instructions:\n\nTo uninstall the patch\n\n1. In the SGMI, on the Action menu, click HotFix. \n2. In the left pane of the Hotfix Management window, click Uninstall hotfix. \n3. In the right pane of the Hotfix Management window, click the radio button next\n to hotfix ID SG8000-20040715-00. \n4. In the right pane of the Hotfix Management window, click Uninstall. \n5. Wait until a message appears in the right pane of the Hotfix Management window. \n (Note: there is no visible indication of activity.)\n6. If the message includes a \"Restart\" link, click the link and wait until the\n \"Security gateway is restarting\" message appears. \n7. Close the Hotfix Management window. \n\n\n************************************************************************************\n\n. Connect to Symantec Gateway Security (SGS) using the SRMC. Connect to the VelociRaptor using the SRMC. Right-click the VelociRaptor icon. Browse to the location of the *.tgz file. Select Open to load the patch. Answer \"No\" when asked if you want to reboot the system. Connect to the VelociRaptor using the SRMC. Right-click the VelociRaptor. Select All Tasks \u003e SRL Client. Log into the system. Type: cd /usr/vr/hotfixes/SG7004-20040715-00 and press Enter. Type: ./Uninstall and press Enter",
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0369"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000340"
},
{
"db": "BID",
"id": "11039"
},
{
"db": "VULHUB",
"id": "VHN-8799"
},
{
"db": "PACKETSTORM",
"id": "34156"
},
{
"db": "PACKETSTORM",
"id": "34155"
},
{
"db": "PACKETSTORM",
"id": "34154"
}
],
"trust": 2.25
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2004-0369",
"trust": 3.1
},
{
"db": "BID",
"id": "11039",
"trust": 2.8
},
{
"db": "AUSCERT",
"id": "ESB-2004.0538",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "12371",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000340",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200412-576",
"trust": 0.7
},
{
"db": "ISS",
"id": "20040826 ENTRUST LIBKMP LIBRARY BUFFER OVERFLOW",
"trust": 0.6
},
{
"db": "CIAC",
"id": "O-206",
"trust": 0.6
},
{
"db": "XF",
"id": "15669",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "6852",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "34156",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "34155",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "34154",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-8799",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-8799"
},
{
"db": "BID",
"id": "11039"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000340"
},
{
"db": "PACKETSTORM",
"id": "34156"
},
{
"db": "PACKETSTORM",
"id": "34155"
},
{
"db": "PACKETSTORM",
"id": "34154"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-576"
},
{
"db": "NVD",
"id": "CVE-2004-0369"
}
]
},
"id": "VAR-200412-0107",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-8799"
}
],
"trust": 0.01
},
"last_update_date": "2024-08-14T14:08:57.818000Z",
"patch": {
"_id": null,
"data": [
{
"title": "SYM04-012",
"trust": 0.8,
"url": "http://securityresponse.symantec.com/avcenter/security/Content/2004.08.26.html"
},
{
"title": "SYM04-012",
"trust": 0.8,
"url": "http://www.symantec.com/region/jp/sarcj/security/content/2004.08.26.html"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2004-000340"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0369"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 2.8,
"url": "http://xforce.iss.net/xforce/alerts/id/181"
},
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/11039"
},
{
"trust": 2.0,
"url": "http://securityresponse.symantec.com/avcenter/security/content/2004.08.26.html"
},
{
"trust": 1.7,
"url": "http://www.auscert.org.au/render.html?it=4339"
},
{
"trust": 1.7,
"url": "http://www.ciac.org/ciac/bulletins/o-206.shtml"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/15669"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2004-0369"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2004-0369"
},
{
"trust": 0.8,
"url": "http://secunia.com/advisories/12371/"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/15669"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/6852"
},
{
"trust": 0.3,
"url": "https://www.entrust.com/trustedcare/troubleshooting/bulletins.htm"
},
{
"trust": 0.3,
"url": "http://enterprisesecurity.symantec.com/products/products.cfm?productid=342\u0026eid=0"
},
{
"trust": 0.3,
"url": "ftp://ftp.symantec.com/public/updates/entrust-70w-readme.txt"
},
{
"trust": 0.3,
"url": "ftp://ftp.symantec.com/public/updates/entrust-70s-readme.txt"
},
{
"trust": 0.3,
"url": "ftp://ftp.symantec.com/public/updates/entrust-704s-readme.txt"
},
{
"trust": 0.3,
"url": "ftp://ftp.symantec.com/public/updates/entrust-704w-readme.txt"
},
{
"trust": 0.3,
"url": "http://enterprisesecurity.symantec.com/products/products.cfm?productid=47"
},
{
"trust": 0.3,
"url": "ftp://ftp.symantec.com/public/updates/entrust-sgs10-readme.txt"
},
{
"trust": 0.3,
"url": "ftp://ftp.symantec.com/public/updates/entrust-sgs20-readme.txt"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2004-0369"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-8799"
},
{
"db": "BID",
"id": "11039"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000340"
},
{
"db": "PACKETSTORM",
"id": "34156"
},
{
"db": "PACKETSTORM",
"id": "34155"
},
{
"db": "PACKETSTORM",
"id": "34154"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-576"
},
{
"db": "NVD",
"id": "CVE-2004-0369"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "VULHUB",
"id": "VHN-8799",
"ident": null
},
{
"db": "BID",
"id": "11039",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000340",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "34156",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "34155",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "34154",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-200412-576",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2004-0369",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2004-12-31T00:00:00",
"db": "VULHUB",
"id": "VHN-8799",
"ident": null
},
{
"date": "2004-08-25T00:00:00",
"db": "BID",
"id": "11039",
"ident": null
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000340",
"ident": null
},
{
"date": "2004-08-26T20:10:18",
"db": "PACKETSTORM",
"id": "34156",
"ident": null
},
{
"date": "2004-08-26T20:09:14",
"db": "PACKETSTORM",
"id": "34155",
"ident": null
},
{
"date": "2004-08-26T20:07:58",
"db": "PACKETSTORM",
"id": "34154",
"ident": null
},
{
"date": "2004-08-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200412-576",
"ident": null
},
{
"date": "2004-12-31T05:00:00",
"db": "NVD",
"id": "CVE-2004-0369",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2017-07-11T00:00:00",
"db": "VULHUB",
"id": "VHN-8799",
"ident": null
},
{
"date": "2009-07-12T06:17:00",
"db": "BID",
"id": "11039",
"ident": null
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000340",
"ident": null
},
{
"date": "2005-10-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200412-576",
"ident": null
},
{
"date": "2017-07-11T01:30:06.557000",
"db": "NVD",
"id": "CVE-2004-0369",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200412-576"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "Entrust LibKMP ISAKMP Library Remote IPsec/ISAKMP Buffer Overflow Vulnerability",
"sources": [
{
"db": "BID",
"id": "11039"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-576"
}
],
"trust": 0.9
},
"type": {
"_id": null,
"data": "Boundary Condition Error",
"sources": [
{
"db": "BID",
"id": "11039"
},
{
"db": "CNNVD",
"id": "CNNVD-200412-576"
}
],
"trust": 0.9
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…