IRM 011: Sygate,Security Agent (Sygate Secure Enterprise) Fail Open DoS
IRM Security Advisory No. 011
Sygate Security Agent (Sygate Secure Enterprise) Denial of Service
Problem Discovered: January 24th 2005
Vendor contacted: March 8th 2005
Advisory published: April 11th 2005
Abstract
--------
Sygate Secure Enterprise includes a Security Agent (SSA) that runs on a
client system as one of its components alongside policy management and
enforcement servers inside a network.
The Sygate Agent incorporates a 'stateful' firewall, where it applies a
rule-based security policy and controls application usage. The agent
also has an intrusion prevention engine which can detect port scanning
and different types of known attacks. Additionally, it can verify the
security status of a client including the status of executables,
Anti-Virus, firewall, et al.
During a recent security assessment of a laptop build, IRM identified a
security issue associated with SSA. A non-privileged user is able to
export the security policy file and make a simple modification. The file
can then be imported back, which results in the agent 'failing open' on
next restart.
Description
-----------
The SSA security policy file is an XML file which could be exported by a
non-privileged user and then imported back. It is therefore possible to
change certain settings in the policy file including trusted IP
addresses, or DNS names for instance. Additionally, it is possible to
modify the name of the default policy location to a non-existing one.
When SSA is closed gracefully during system shutdown, the imported
policy is saved and also copied to the backup, resulting in both
policies having an inexistent 'DefaultLocation'. When SSA starts up
again, the policy is loaded and upon switching to the DefaultLocation it
throws an exception and fails.
Affected Versions
-----------------
SSA running in 'Server Control' or 'Power User' Modes:
* SSA version 3.5
* SSA version 4.0
* SSA version 4.1
Unaffected Versions
-------------------
* SSA in client mode (any version)
* Sygate Personal Firewall (Standard and Pro versions)
Vendor & Patch Information
--------------------------
Sygate were contacted and immediately started investigating the issue.
When the vulnerability was confirmed, a new build was released. Users
are required to upgrade to the latest builds for each version:
* SSA3.5 build 2580
* SSA4.0 build 2715
* SSA4.1 build 2827
These are available from Sygate's website (http://www.sygate.com).
Workarounds
-----------
Enable password protection for SSA export/import function (this is not
the default setting for SSA running in 'Server Control' or 'Power User'
Modes).
Credits
-------
Research & Advisory: Mazin Faour.
Disclaimer
----------
All information in this advisory is provided on an 'as is' basis in the
hope that it will be useful. Information Risk Management Plc is not
responsible for any risks or occurrences caused by the application of
this information.