Newly released vulnerability in CheckPoint VPN-1 product that could lead to total system compromise. The vulnerability resides in the parsing of the ASN.1 data in the ISAKMP key exchange portion is affected by the vulnerability - the overflow occurs during the initial key exchange.


ASN.1 Alert
28 Jul 2004

An ASN.1 issue has been discovered affecting Check Point VPN-1 products during negotiations of a VPN tunnel which may cause a buffer overrun, potentially compromising the gateway. In certain circumstances, this compromise could allow further network compromise.

Check Point Software customers who do not use Remote Access VPNs or gateway-to-gateway VPNs, or who have upgraded to current product versions (VPN-1/FireWall-1 R55 HFA-08, R54 HFA-412, and VPN-1 SecuRemote/SecureClient R56 HF1) are NOT affected by this issue.

A single packet attack is only possible if Aggressive Mode IKE is implemented. Check Point strongly discourages the use of Aggressive Mode IKE because it has inherent security limitations.

When using IKE without enabling Aggressive Mode, the single packet attack is not possible, as the attacker must initiate a real IKE negotiation in order to perform the attack. The malformed IKE packet of this attack vector must be encrypted, which prevents detection of it using a signature.

At the time of this alert, Check Point is not aware of any organizations that have been affected by this issue. However, in order to protect VPN-1 Gateways, Check Point recommends that customers install an update on all enforcement modules.

The most recent Hotfix Accumulators (HFAs) and ASN.1 Hotfixes address this issue. Software Subscription customers can download updates for affected products using the links listed below.