Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
A vulnerability for a remotely exploitable buffer overflow exists in
Gauntlet
Firewall by PGP
Security. The buffer overflow occurs in the smap/smapd and CSMAP
daemons. According to PGP Security, these daemons are responsible for
handling email transactions for both inbound and outbound email.
On September 04, 2001, PGP Security released a security bulletin
and patches for this vulnerability. For more information, please see
An intruder can execute arbitrary code with the privileges of the
corresponding daemon. Additionally, firewalls often have trust
relationships with other network devices. An intruder who compromises
a firewall may be able to leverage this trust to compromise other
devices on the network or to make changes to the network
configuration. Appendix A contains information provided by vendors for this
advisory. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact your vendor directly. This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If
a particular vendor is not listed below, we have not received their
comments. PGP Security has published a security advisory describing this vulnerability as well as patches. This is available from
Systems Affected
Overview
I. Description
II. Impact
III. Solution
Apply a patch
Appendix A. - Vendor Information
Network Associates, Inc.
References
- http://www.pgp.com/support/product-advisories/csmap.asp
- http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp
- http://www.kb.cert.org/vuls/id/206723
The CERT Coordination Center thanks PGP Security for their advisory, on which this document is based.
Feedback on this document can be directed to the author, Ian A. Finlay.
Copyright 2001 Carnegie Mellon University.
Revision History
September 06, 2001: Initial release