Skip to page contents

---

International (select)  Extranet |

---

---

Products    Training    Support    Downloads    Partners Contact | About us | Press & Media | Investor Relations

---

Support Offering | Security Advisories | Technical Product Documentation | Request Support | Product Life-cycle | License Center | Contact Information |

---

• MAPP

---

---

Stonesoft Corp. Security Advisory

Date: Mar 19, 2004
Title: OpenSSL Denial-of-Service Vulnerabilities
Refs: NISCC Vulnerability Advisory 224012
CVE: CAN-2004-0079, CAN-2004-0112, CAN-2004-0081

The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL STONESOFT, CORP. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.

If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.

---

1. Overview

NISCC published a vulnerability advisory on 17 March 2004 about three Denial-of-Service (DoS) vulnerabilities in OpenSSL. None of Stonesoft's products are vulnerable to CAN-2004-0112 or CAN-2004-0081 vulnerabilities. However, Stonesoft products can be vulnerable to CAN-2004-0079 as stated in this advisory.

2. StoneGate

A vulnerable version of OpenSSL is included in the StoneGate engine. The following services in StoneGate engine are SSL protected and therefore are potentially vulnerable to Denial of Service attacks:

ldaps	User data replication from SG management
SG-vpnclient-cfg	VPN Client configuration download
SG-remote-upgrade	Engine software remote upgrade
SG-mgmt	Policy installation
SG-monitor	Monitoring

Except for the VPN Client configuration download service, where everyone has access by default, the default firewall configuration allows only the management server to connect to these services.

Based on tests at Stonesoft, the default firewall configuration protects the firewall against the denial of service attacks of CAN-2004-0079. The tests did not reveal any vulnerability in the VPN Client configuration download service.

However, if the firewall configuration allows connections to the other services mentioned above a certain level of vulnerability was detected. The user data replication, monitoring, and policy installation were unusable during the attack. The user replication service recovered after the attack was finished.

All StoneGate engines up to and including version 2.2.4 contain the vulnerable software. A new StoneGate engine version 2.2.5 for Intel platform is planned to be available in March. A new StoneGate engine version 2.2.5 for IBM zSeries platform is planned to be available in early April. A new StoneGate engine version 2.0.12 for SPARC platform is planned to be available in April. The new versions will be available for download from Stonesoft's web site at www.stonesoft.com. All customers with valid support and maintenance contracts will be notified.

Recommended Actions:

All StoneGate users are encouraged to upgrade their StoneGate engines to the appropriate new version as soon as it is available.

As a workaround and while waiting for the upgrade, Stonesoft recommends limiting access to the firewall engine services as much as possible. The default firewall configuration, as provided with the product, permits only the Management Server to connect to the services that were tested to be vulnerable.

3. StoneBeat HA

StoneBeat HA does not use TLS/SSL and is thus not vulnerable.

4. StoneBeat Clustering Products

All StoneBeat clustering products use SSL for their control connections. Additionally, they can be remotely configured through a HTTPS (HTTP over SSL) interface, if that optional feature has been enabled. The vulnerable version of OpenSSL is included in StoneBeat clustering products.

Based on tests at Stonesoft, the control connections of StoneBeat resisted the attacks of CAN-2004-0079. However, the optional HTTPS configuration service crashed when under attack.

Stonesoft will provide a patch for StoneBeat clustering products in timely manner. The new versions will be available for download from Stonesoft's web site at www.stonesoft.com. All customers with valid support and maintenance contracts will be notified.

Recommended Actions:

All StoneBeat users are encouraged to upgrade to the new version as soon as it is available.

Additionally, communication to configuration ports should be kept to a minimum in a firewall rule base or by using a secure control interface between the cluster nodes and management system. A secure interface means a network that is not accessible from any network that can be considered a possible source of malicious operations.

5. Appendices

Stonesoft Security Analysis Group's PGP key is available at: ftp://download.stonesoft.com/web/Support/Stonesoft%20Security%20Alert.asc

To report or inquire about a security problem with Stonesoft software, contact one or more of the following:

Stonesoft Support
Stonesoft Security Analysis Group. Send email to:
security-alert@stonesoft.com

Copyright 2003 Stonesoft, Corp. All rights reserved.

Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft, Corp. in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.

---