{"vuid":"VU#435358","idnumber":"435358","name":"Check Point VPN-1 products contain boundary error in the ASN.1 decoding library","keywords":["Check Point VPN-1","heap overflow","ASN.1"],"overview":"A vulnerability exists in Check Point's VPN-1 Server, which is included in many Check Point products. This vulnerability may permit a remote attacker to compromise the gateway system.","clean_desc":"Check Point VPN-1 Server is a Virtual Private Network (VPN) application. A buffer overflow condition exists in an ASN.1 decoding library used by the VPN-1 software. This vulnerability could be exploited during the negotiation process of establishing a new VPN connection. To exploit this vulnerability, an attacker must initiate an IKE negotiation and then send a malformed IKE packet. The exploit packet must be encrypted, which prevents its detection by using a signature. However, if Aggressive Mode IKE is implemented, this vulnerability may be exploited via a single packet. According to ISS X-Force's advisory, the following products are reported as vulnerable: VPN-1/FireWall-1 NG with Application Intelligence R54\nVPN-1/FireWall-1 NG with Application Intelligence R55\nVPN-1/FireWall-1 NG with Application Intelligence R55W \nVPN-1/FireWall-1 Next Generation FP3 \nVPN-1/FireWall-1 VSX FireWall-1 GX \nVPN-1 SecuRemote/SecureClient All Versions For more details, please see the Check Point security alert.","impact":"A remote attacker may be able to compromise the VPN gateway system.","resolution":"Apply the appropriate patch from Check Point's  security alert to address this issue.","workarounds":"","sysaffected":"","thanks":"Thanks to Mark Dowd and Neel Mehta of the ISS X-Force for reporting this vulnerability.","author":"This document was written by Jason A Rafail.","public":["http://xforce.iss.net/xforce/alerts/id/178","http://www.checkpoint.com/techsupport/alerts/asn1.html","http://secunia.com/advisories/12177/","http://www.ciac.org/ciac/bulletins/o-190.shtml"],"cveids":["CVE-2004-0699"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-07-29T15:43:13Z","publicdate":"2004-07-28T00:00:00Z","datefirstpublished":"2004-08-02T14:36:12Z","dateupdated":"2004-08-10T14:41:24Z","revision":6,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"10","cam_impact":"16","cam_easeofexploitation":"14","cam_attackeraccessrequired":"15","cam_scorecurrent":"15.75","cam_scorecurrentwidelyknown":"18.9","cam_scorecurrentwidelyknownexploited":"31.5","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":15.75,"vulnote":null}