IRM 011: Sygate,Security Agent (Sygate Secure Enterprise) Fail Open DoS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: IRM 011: Sygate,Security Agent (Sygate Secure Enterprise) Fail Open DoS
From: IRM Advisories <advisories@xxxxxxxxxx>
Date: Tue, 12 Apr 2005 09:54:43 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

IRM Security Advisory No. 011

Sygate Security Agent (Sygate Secure Enterprise) Denial of Service

Problem Discovered: January 24th 2005
Vendor contacted: March 8th 2005
Advisory published: April 11th 2005


Abstract
--------

Sygate Secure Enterprise includes a Security Agent (SSA) that runs on aclient system as one of its components alongside policy management andenforcement servers inside a network.

The Sygate Agent incorporates a 'stateful' firewall, where it applies arule-based security policy and controls application usage. The agentalso has an intrusion prevention engine which can detect port scanningand different types of known attacks. Additionally, it can verify thesecurity status of a client including the status of executables,Anti-Virus, firewall, et al.

During a recent security assessment of a laptop build, IRM identified asecurity issue associated with SSA. A non-privileged user is able toexport the security policy file and make a simple modification. The filecan then be imported back, which results in the agent 'failing open' onnext restart.


Description
-----------

The SSA security policy file is an XML file which could be exported by anon-privileged user and then imported back. It is therefore possible tochange certain settings in the policy file including trusted IPaddresses, or DNS names for instance. Additionally, it is possible tomodify the name of the default policy location to a non-existing one.When SSA is closed gracefully during system shutdown, the importedpolicy is saved and also copied to the backup, resulting in bothpolicies having an inexistent 'DefaultLocation'. When SSA starts upagain, the policy is loaded and upon switching to the DefaultLocation itthrows an exception and fails.


Affected Versions
-----------------
SSA running in 'Server Control' or 'Power User' Modes:

    * SSA version 3.5
    * SSA version 4.0
    * SSA version 4.1

Unaffected Versions
-------------------

    * SSA in client mode (any version)
    * Sygate Personal Firewall (Standard and Pro versions)

Vendor & Patch Information
--------------------------

Sygate were contacted and immediately started investigating the issue.When the vulnerability was confirmed, a new build was released. Usersare required to upgrade to the latest builds for each version:


    * SSA3.5 build 2580
    * SSA4.0 build 2715
    * SSA4.1 build 2827

These are available from Sygate's website (http://www.sygate.com).

Workarounds
-----------

Enable password protection for SSA export/import function (this is notthe default setting for SSA running in 'Server Control' or 'Power User'Modes).


Credits
-------
Research & Advisory: Mazin Faour.

Disclaimer
----------

All information in this advisory is provided on an 'as is' basis in thehope that it will be useful. Information Risk Management Plc is notresponsible for any risks or occurrences caused by the application ofthis information.

Prev by Date: Centra 7 XSS Exploit
Next by Date: eGroupWare Leaks Files
Previous by thread: Centra 7 XSS Exploit
Next by thread: eGroupWare Leaks Files
Index(es):
- Date
- Thread