Stonesoft Corporation Security Advisory
Date: 17 Sep, 2009
Title: StoneGate Engines Vulnerable to Sockstress Denial-of-Service Tool
Refs: CVE-2008-4609
Severity: Medium
1. Overview
CERT-FI published an advisory of vulnerabilities in TCP protocol on 8th September 2009. The vulnerabilities were found by the Sockstress tool developed by Outpost24. The tool impacts a denial-of-service condition in the vulnerable TCP stacks.Stonesoft StoneGate engines are affected as stated below.
2. StoneGate Firewall and VPN
All StoneGate Firewall and VPN engines up to the versions 4.2.10 and versions between 4.3.0 - 5.0.2 are vulnerable. A successful attack causes a denial-of-service condition to the blacklist service. This does not affect the traffic that goes through the Firewall engine.Recommended Actions:
StoneGate Firewall and VPN users who are using the vulnerable engines should upgrade to the engine version 4.2.11 or 5.0.3 as soon as they will become available. Stonesoft estimates this to happen during early October 2009.
While waiting for the upgrade, StoneGate Firewall and VPN engine users are recommended to limit the IP addresses that are authorized to connect to the Firewall engine services. This is also a good permanent mitigation to the risks of attacks against the Firewall engine.
3. StoneGate IPS Sensor and Analyzer
All StoneGate IPS engines up to the versions 4.2.3, 4.3.6 and 5.0.1 are vulnerable. A successful attack causes a denial-of-service condition to the blacklist service. This does not affect to the traffic that goes through the IPS engine.Recommended Actions:
The StoneGate IPS users who are using the vulnerable engines should upgrade to the engine version 4.2.4, 4.3.7 or 5.0.2 as soon as they will become available. Stonesoft estimates this to happen during early October, 2009.
While waiting for the upgrade, StoneGate IPS engine users are recommended to limit the IP addresses that are authorized to connect to the IPS engine control interface. This can be done by keeping the IPS control interface in an isolated management network or by limiting the connections with a Firewall engine. This is also a good permanent mitigation to the risks of attacks against the IPS engine.
4. StoneGate SSL VPN
StoneGate SSL VPN engines up to the version 1.3.1 are vulnerable. A successful attack causes a denial-of-service condition to the Web Console management connections. This does not affect to the traffic that goes through the SSL VPN engine.Recommended Actions:
StoneGate SSL VPN users who are using the vulnerable engines should upgrade to the engine version 1.4.0 as soon as it will become available. Stonesoft estimates this to happen during Q4/2009.
While waiting for the upgrade, StoneGate SSL VPN engine users are recommended to limit the IP addresses that are authorized to connect to the SSL VPN control interface. This can be done by keeping the SSL VPN control interface in an isolated management network or by limiting the connections with a Firewall engine. This is also a good permanent mitigation to the risks of attacks against the SSL VPN engine.
5. Appendices
Stonesoft Security Analysis Group's PGP key is available at: http://www.stonesoft.com/system/galleries/download/other_files/Stonesoft-Security-Alert.ascTo report or to inquire about a security problem with Stonesoft software, please contact one or more of the following:
Stonesoft Support
Stonesoft Security Analysis Group: security-alert(AT)stonesoft.com
The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL STONESOFT CORPORATION BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.
If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.
Copyright 2009 Stonesoft Corporation. All rights reserved.
Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft Corporation in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.
