Stonesoft Corp. Security Advisory
Date: 29 Sep, 2006
Title: OpenSSL vulnerabilities in Stonesoft products
Refs: CERT: VU#547300, CVE-2006-3738
Severity: High
The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL STONESOFT, CORP. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.
If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.
1. Overview
CERT/CC published a vulnerability note on 28 Sep 2006 about a buffer overflow vulnerability in OpenSSL. By exploiting the vulnerability an attacker may potentially be able to execute arbitrary code on the vulnerable target host.
Stonesoft products are affected as stated below.
2. StoneGate Firewall and VPN
A vulnerable version of OpenSSL is included in the StoneGate High Availability Firewall and VPN engine. The following services in the StoneGate firewall engine are SSL protected and therefore are potentially vulnerable to attacks:
ldaps User data replication from SG management SG-vpnclient-cfg VPN Client configuration download SG-remote-upgrade Engine software remote upgrade SG-mgmt Policy installation SG-monitor Monitoring SG-blacklist Blacklisting
Except for the VPN Client configuration download service and blacklisting service, where everyone has access by default, the default firewall configuration allows only the management server to connect to these services.
The latest StoneGate Firewall and VPN engine 3.0.2 is not vulnerable to this issue. Similarly, StoneGate Firewall and VPN engine 2.6.6 is not vulnerable to this issue.
StoneGate Firewall and VPN engine versions 3.0.1 and earlier, and 2.6.5 and earlier use a vulnerable version of OpenSSL. Crafted SSL/TLS connections to the vulnerable OpenSSL daemon may potentially allow the attacker to run arbitrary code on the StoneGate engine. Stonesoft considers the exploit challenging to construct, but may be possible.
Recommended Actions:
All StoneGate Firewall and VPN users should upgrade their StoneGate Firewall and VPN engines to version 3.0.2 or later. Alternatively the users can upgrade their StoneGate Firewall and VPN engines to version 2.6.6, estimated to be available on 5 October 2006.
StoneGate Firewall and VPN customers not using StoneGate appliances or Intel compatible StoneGate platforms can contact Stonesoft Technical Support for further information.
Customers who do not use the VPN client can mitigate their risk in the interim by disabling the Default template rule for the SG-vpnclient-cfg service. Similarly, customers can limit the IP addresses who are authorized to contact the SG-blacklist service.
3. StoneGate IPS Sensor and Analyzer
A vulnerable version of OpenSSL is included in the StoneGate IPS Sensor and Analyzer engine. The following services in the StoneGate IPS engine are SSL protected and therefore are potentially vulnerable to attacks:
SG-mgmt-sensor Monitoring and policy installation SG-mgmt-analyzer Monitoring and policy installation SG-remote-upgrade Engine software remote upgrade SG-ips-event IPS events from Sensor to Analyzer
The latest StoneGate IPS Sensor and Analyzer engine 2.0.2 is not vulnerable to this issue.
StoneGate IPS Sensor and Analyzer engine versions 2.0.1 and earlier use a vulnerable version of OpenSSL. Crafted SSL/TLS connections to the vulnerable OpenSSL daemon may potentially allow the attacker to run arbitrary code on the StoneGate engine. Stonesoft considers the exploit challenging to construct, but it may be possible.
Recommended Actions:
All StoneGate IPS users should upgrade their StoneGate IPS Sensor and Analyzer engines to version 2.0.2 or later.
4. StoneGate Management Center
The StoneGate Management Center uses OpenSSL only for certificate management and thus is not exploitable through this vulnerability.
5. StoneGate VPN Client
The StoneGate VPN Client uses OpenSSL to download the VPN Client configurations from the StoneGate Firewall and VPN engine.
StoneGate VPN Client 2.6.2 and earlier contain a vulnerable version of OpenSSL. However, there are no listening services in the StoneGate VPN Client that use OpenSSL. Therefore no direct attacks against the VPN Client are possible through this vulnerability.
Stonesoft plans to release a new version of the VPN Client during October 2006 where the vulnerability is completely fixed.
6. StoneBeat HA
StoneBeat HA does not use TLS/SSL and is not vulnerable.
7. StoneBeat Clustering Products
StoneBeat Clustering products use OpenSSL to protect their control connections and also in their Web configuration utility.
StoneBeat FullCluster version 3.0SP4 and earlier contain a vulnerable version of OpenSSL.
Stonesoft plans to release a new version of StoneBeat FullCluster during October 2006 where the vulnerability is fixed.
Recommended Actions:
StoneBeat Clustering product users are encouraged to configure their firewalls and access control devices to limit the IP addresses that can open SSL connections to the StoneBeat control and Web configuration utility ports.
StoneBeat FullCluster users should upgrade their software as soon as a fixed version is available.
Users of other StoneBeat Clustering products can contact Stonesoft Technical Support for further information.
8. Appendices
Stonesoft Security Analysis Group's PGP key is available at: http://www.stonesoft.com/export/download/other_files/Stonesoft- Security-Alert.asc
To report or inquire about a security problem with Stonesoft software, contact one or more of the following:
Stonesoft Support Stonesoft Security Analysis Group: security-alert@stonesoft.com
Copyright 2006 Stonesoft, Corp. All rights reserved.
Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft, Corp. in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.