Microsoft SSL Library Remote Compromise Vulnerability

If any SSL-enabled services are present, and both the PCT 1.0 and SSL 2.0 protocols are enabled, remote attackers may exploit the buffer overflow condition to execute arbitrary code on vulnerable Windows server installations and gain SYSTEM privileges.

The severity of this vulnerability is compounded by the fact that SSL is most often used to secure communications involving confidential or valuable information, and it is therefore believed that hackers will aggressively target this vulnerability.

An available exploit sends a malformed SSL/PCT CLIENT_HELLO message, along with sufficient code that allows it to open a remote shell on the victim’s server. Once exploited, a remote shell is created on the target system on TCP port 31337.

InterSpect and R55W users will receive a SmartDefense log with the following entries:

Attack name: VPN Protection.
Attack Information: Malformed SSL packet detected.

Users of VPN-1 NG AI R55 and InterSpect who haven't updated their VPN-1/FireWall-1 in accordance with CPAI-2004-13, should update their SmartDefense by pressing the Update Now button in the SmartDefense General tab.

To apply the protection (R55, R55W and InterSpect):

1. From the SmartDefense menu, select Application Intelligence > VPN Protocols > Block SSL null-pointer assignment.
2. Install policy on all modules.

   

As a best security practice, it is highly advised to block TCP high ports to prevent future security threats of this nature.