Skip to page contents

---

International (select)  Extranet |

---

---

Products    Training    Support    Downloads    Partners Contact | About us | Press & Media | Investor Relations

---

Support Offering | Security Advisories | Technical Product Documentation | Request Support | Product Life-cycle | License Center | Contact Information |

---

• MAPP

---

---

Stonesoft Corp. Security Advisory

Date: 14 Nov, 2005
Title: IKE Vulnerabilities in StoneGate Firewall
Refs: CERT-FI: 7710; 273756/NISCC/ISAKMP

Severity: High

The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL STONESOFT, CORP. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.

If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.

---

1. Overview

CERT-FI and NISCC published a joint vulnerability advisory on 14 Nov 2005 about several vulnerabilities in various IKEv1 protocol implementations. The vulnerabilities were found with PROTOS ISAKMP Test Suite for IKEv1 Phase 1, developed by Oulu University Security Programming Group (OUSPG). Stonesoft products are affected as stated below.

2. StoneGate Firewall

Stonesoft's StoneGate High Available Firewall and VPN engine uses the IKEv1 protocol to negotiate the Security Associations (SA) for the IPSec VPN tunnels. By default the engines accept IKE negotiations from all IP addresses.

The latest StoneGate Firewall and VPN engine 2.6.1 is not vulnerable to the issues reported with PROTOS ISAKMP Test Suite for IKEv1 Phase 1.

StoneGate Firewall and VPN engine versions 2.6.0 and earlier use a vulnerable version of IKEv1 implementation. Crafted IKE packets may cause the vulnerable IKE daemon to malfunction, thus causing a denial-of-service condition for the VPN tunnels or the firewall functionality. Stonesoft is not aware of any attacks that could have more serious effect than that, but considers this a possibility.

Recommended Actions:

All StoneGate Firewall and VPN users should upgrade their StoneGate Firewall and VPN engines to version 2.6.1 or later.

StoneGate Firewall and VPN customers not using StoneGate Appliances or Intel compatible StoneGate platforms can contact Stonesoft Technical Support for further information.

3. StoneGate VPN Client

StoneGate VPN Client uses IKEv1 protocol to negotiate IPSec VPN tunnels with StoneGate Firewall engines. The VPN Client does not accept incoming IKE packets from any other sources than the IP addresses that belong to the VPN Security Gateways configured for the VPN Client.

The latest StoneGate VPN Client 2.6.1, released on 14th November 2005, is not vulnerable to the issues reported with PROTOS ISAKMP Test Suite for IKEv1 Phase 1.

StoneGate VPN Client versions 2.6.0 and earlier use a vulnerable IKEv1 implementation. Crafted IKE packets with a spoofed VPN Security Gateway source address may cause the vulnerable VPN Client to restart the VPN Client process, thus causing a denial-of-service condition for the active VPN tunnels. Stonesoft is not aware of any attacks that could have more serious effect than that, but considers this a possibility.

Recommended Actions:

All StoneGate VPN Client users should upgrade their StoneGate VPN Client software to version 2.6.1 or later.

4. StoneGate Management Center

StoneGate Management Center does not interpret the IKE protocol and is thus not vulnerable.

5. StoneGate IPS

StoneGate IPS does not interpret the IKE protocol and is thus not vulnerable.

6. StoneBeat HA

StoneBeat HA does not interpret the IKE protocol and is thus not vulnerable.

7. StoneBeat Clustering Products

StoneBeat Clustering products do not interpret the IKE protocol and are thus not vulnerable.

8. Appendices

Stonesoft Security Analysis Group's PGP key is available at: http://www.stonesoft.com/files/support/2005/Stonesoft-Security-Alert.asc

To report or inquire about a security problem with Stonesoft software, contact one or more of the following:

Stonesoft Support
Stonesoft Security Analysis Group. Send email to:
security-alert@stonesoft.com

Copyright 2005 Stonesoft, Corp. All rights reserved.

Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft, Corp. in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.

---