Reported July 28, 2004, by Internet Security Systems


  • Check Point Software Technologies VPN-1 products, Release 55 (R55) and earlier

A buffer-overrun vulnerability can permit remote compromise of a Check Point VPN-1 gateway. An Internet Security Association and Key Management Protocol (ISAKMP) problem affects Check Point VPN-1 products during negotiations of a VPN tunnel. When the VPN-1 server performs Abstract Syntax Notation One (ASN.1) decoding, an attacker can trigger an arbitrary-length heap overflow, which might result in complete compromise of the VPN-1 server. Through a single-packet attack, an unauthenticated remote attacker can trigger this vulnerability. If UDP-based Internet Key Exchange (IKE) negotiation is enabled (aggressive mode), the attacker might be able to conceal the source of attacks and perform a blind-spoofed attack.

Check Point has released "ASN.1 Alert" to address this vulnerability and recommends that affected users immediately apply the appropriate patch listed in the bulletin.

Discovered by Internet Security Systems.