Symantec warns of critical VPN and firewall hole

Symantec has warned of a serious flaw in its VPN and firewall server products that could allow an attacker to take over affected...

Symantec has warned of a serious flaw in its VPN and firewall server products that could allow an attacker to take over affected systems and gain access to corporate networks.


The software maker is urging customers to download patches for the flaw, which may affect similar products from other companies.

Links to specific product hotfixes are available via Symantec's Enterprise Support site or from last week's advisory from Internet Security Systems (ISS), which discovered the flaw.


Affected Symantec products include Symantec Enterprise Firewall 8.0 on Windows and Solaris, Symantec Enterprise Firewall 7.0.x on Windows and Solaris, Symantec VelociRaptor 1.5, Symantec Gateway Security 1.0 -- 5300 Series and Symantec Gateway Security 2.0 -- 5400 Series. In addition, researchers said any VPN or firewall product using Entrust's LibKmp component is vulnerable.


The vulnerability lies in LibKmp, which Entrust provides to third parties for use in VPN products. The LibKmp ISAKMP library handles most processing for inbound ISAKMP packets, according to ISS. ISAKMP (Internet Security Association and Key Management Protocol) is a standard protocol for creating dynamic VPN tunnels.


A buffer overflow flaw in the way the library handles some inbound requests could allow an attacker to disrupt service or execute malicious code by sending a specially-crafted ISAKMP packet, researchers said.


Researchers said that other VPN products using Entrust's LibKmp library may also be affected, but such vulnerabilities have not been confirmed by researchers or vendors. Danish security firm Secunia, in its own advisory, first classified the bug as only moderately serious, but later upgraded it to "highly critical".


Last month ISS warned of a vulnerability in a wide range of Check Point Software Technologies' VPN products, including versions of VPN-1, FireWall-1, Provider-1 and SSL Network Extender. Check Point's enterprise security products are among the most widely used on the Internet. Similar Check Point VPN holes also appeared in February and May.


Matthew Broersma writes for Techworld

Read more on Hackers and cybercrime prevention