Skip to page contents

---

International (select)  Extranet |

---

---

Products    Training    Support    Downloads    Partners Contact | About us | Press & Media | Investor Relations

---

Support Offering | Security Advisories | Technical Product Documentation | Request Support | Product Life-cycle | License Center | Contact Information |

---

• MAPP

---

---

Stonesoft Corporation Security Advisory

Date:   12 Oct, 2011
Title:  StoneGate SSL VPN Client Certificate authentication bypass
Refs:   N/A

Severity: High

1. Overview

Stonesoft has discovered an authentication bypass vulnerability in its own StoneGate SSL VPN Gateway product.

The StoneGate SSL VPN Gateway product is affected as follows.

2. StoneGate SSL VPN Gateway

If a StoneGate SSL VPN Gateway is configured for certificate-based user authentication, a user can authenticate as a valid user using a valid certificate issued by a registered CA imported in SSL VPN configuration without private key knowledge.

The vulnerability is present only in Stonesoft StoneGate SSL VPN product versions 1.5.0 and earlier. Version 1.5.1 and newer are not vulnerable.

An attack against the vulnerability is only possible if certificate-based user authentication is configured and the attacker has a valid user certificate available.

The vulnerability is caused by insufficient error checking after SSL/TLS negotiation using client certificate authentication.

Recommended Actions:

Disable certificate-based user authentication immediately.

Before enabling certificate-based user authentication method again, upgrade to SSL VPN version 1.5.1 that is not vulnerable.

Alternatively, combine some other strong authentication method together with certificate-based user authentication.

3. Appendices

Stonesoft Security Analysis Group's PGP key is available at: http://www.stonesoft.com/system/galleries/download/other_files/Stonesoft-Security-Alert.asc

To report or to inquire about a security problem with Stonesoft software, please contact one or more of the following:

Stonesoft Support

Stonesoft Security Analysis Group: security-alert(AT)stonesoft.com


The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL STONESOFT CORPORATION BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.

If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.

Copyright 2011 Stonesoft Corporation. All rights reserved.

Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft Corporation in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.

---