Symantec Corp. has warned of a serious flaw in its VPN and firewall server products that could allow an attacker to take over affected systems and gain access to corporate networks. The software maker is urging customers to download patches for the flaw, which may affect similar products from other companies.
Links to specific product hotfixes are available via Symantec's Enterprise Support site or via last week's advisory from Internet Security Systems (ISS), which discovered the flaw.
Affected Symantec products include Symantec Enterprise Firewall 8.0 on Windows and Solaris, Symantec Enterprise Firewall 7.0.x on Windows and Solaris, Symantec VelociRaptor 1.5, Symantec Gateway Security 1.0 -- 5300 Series and Symantec Gateway Security 2.0 -- 5400 Series. In addition, researchers said any VPN or firewall product using Entrust Inc.'s LibKmp component is vulnerable.
The vulnerability lies in LibKmp, which Entrust provides to third parties for use in VPN products. The LibKmp ISAKMP library handles most processing for inbound ISAKMP packets during IKE key exchange in IPSEC-based VPN products, according to ISS. ISAKMP (Internet Security Association and Key Management Protocol) is a standard protocol for creating dynamic VPN tunnels. A buffer overflow flaw in the way the library handles some inbound requests could allow an attacker to disrupt service or execute malicious code by sending a specially-crafted ISAKMP packet, researchers said.
"The sanity checking performed on proposal payloads embedded within the main SA payloads is less exhaustive (than for ISAKMP payloads)," ISS said in its advisory. "The code involved in processing these payloads contains a flaw that can lead to memory corruption, process heap overflow, and potential remote arbitrary code execution."
While the ISAKMP daemon runs on affected Symantec products by default, the company said that gateways are only affected if they have dynamic VPN tunnels running. Gateways that only run static tunnels or that have no dynamic VPN tunnels defined, or which aren't being used as VPN servers, aren't vulnerable. Companies running such servers don't need to apply the hotfix right away, but should do so during normal maintenance cycles, Symantec said.
Researchers said that other VPN products using Entrust's LibKmp library may also be affected, but such vulnerabilities have not been confirmed by researchers or vendors. Danish security firm Secunia, in its own advisory, first classified the bug as only moderately serious, but later upgraded it to "highly critical".
Last month ISS warned of a vulnerability in a wide range of Check Point Software Technologies Ltd.'s VPN products, including versions of VPN-1, FireWall-1, Provider-1 and SSL Network Extender. Check Point's enterprise security products are among the most widely used on the Internet. Similar Check Point VPN holes also appeared in February and May.