Symantec Dynamic VPN Services: ISAKMP Denial of Service

1081

06 March 2020

21 November 2005

CLOSED

MEDIUM

SUMMARY

 

The NISCC (National Infrastructure Security Co-ordination Centre) a UK-sponsored inter-departmental agency has identified nearly five-thousand potential ISAKMP vulnerabilities. Test for these vulnerabilities were created by the NISCC and distributed to an unspecified number of vendors including Symantec.

While proactively testing our products against these vulnerabilities, Symantec uncovered a buffer overflow in two out of the five-thousand tests that can lead to a denial of service of the dynamic VPN services.

Severity
Medium

Remote Access

Yes

Local Access

No

Authentication Required

No

Exploit publicly available

No

 

AFFECTED PRODUCTS

 

Product

Model/Platform

Version

Solution

Symantec Enterprise Firewall

Windows

8.0

SEF8.0-20051114-00

Solaris

8.0

SEF8.0-20051114-00

Symantec Gateway Security

5000 Series

3.0

SGS3.0-2005114-02

5400

2.0.1

SGS2.0.1-20051114-00

5310

1.0

SG7004-20051114-00

5200/5300

1.0

SG7004-20051114-00

5100

 

SG7004-20051114-00

Symantec Firewall /VPN Appliance

200/200R

All

Build 1.8F

100

All

Build 1.8F

Symantec Gateway Security

400

2.0

Build 1103

300

2.0

Build 1103

 

ADDITIONAL PRODUCT INFORMATION

 

Not Affected Product(s)

Product

Model

Version

Symantec Clientless VPN Gateway

4400

5.0

 

ISSUES

 

Details
Dynamic IPsec VPN tunnels require the use of ISAKMP (Internet Security Association and Key Management Protocol), a standard protocol that provides the framework for establishing, negotiating, modifying, and deleting security associations. The ISAKMP service listens on UDP port 500 on all the affected security gateways. Under certain conditions a malformed ISAKMP packet can potentially cause the ISAKMP service to crash therefore affecting the ability and stability of dynamic VPN tunnels.

MITIGATION

 

Symantec Response
Symantec engineers created patches to correct this issue. The patches listed above are available via the Symantec Enterprise Support site:

http://www.symantec.com/techsupp/enterprise/select_product_updates.html

Symantec is not aware of any active attempts against or customers impacted by this issue. M

As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers update their product immediately to protect against these types of threats.