2 min read

PGP's Gauntlet Firewall Vulnerable

CERT warns of a serious vulnerability in the Gauntlet 6.0 firewall; a patch is available.
Several days before PGP Security, a division of Network Associates Inc., said its Gauntlet 6.0 firewall met the strict international EAL4 (Evaluation Assurance Levels) security certification, the federally funded CERT Coordination Center released an advisory warning users of a serious vulnerability in several Gauntlet versions.

The Gauntlet flaw was discovered by Garrison Technologies Inc. and is described in CERT Advisory CA-2001-25. The advisory warns that a buffer overflow vulnerability would let an attacker run arbitrary programs on user systems running Gauntlet for Unix versions 5.x and 6.x, PGP e-ppliance 300 series 1.0, PGP e-ppliance 300 and 1000 series versions 1.5 and 2.0, McAfee e-ppliance 100 and 120 series, and McAfee WebShield for Solaris version 4.1.

The vulnerability can be fixed by applying a patch provided by PGP (at support/product-advisories/ csmap.asp). CERT's advisory explains the vulnerability's serious impact, saying "firewalls often have trusted relationships with other network devices. An intruder who compromises a firewall may be able to leverage this trust to compromise other devices on the network or to make changes to the network configuration."

The EAL4 certification is from the British organization Common Criteria, whose mission is to create an internationally accepted criteria for the evaluation of information security products. Says Marvin Dickerson, director of product management for PGP Security, the Gauntlet firewall underwent extensive testing and analysis of the product's design and development methodology. According to PGP, evaluation of the Gauntlet 6.0 Firewall was conducted by Computer Sciences Corp., as an independent evaluator working within the Common Criteria guidelines.

Common Criteria was developed through collaboration between standards and national security organizations from Canada, France, Germany, the Netherlands, the United Kingdom, and the United States.

Garrison Technologies is an information security consulting firm in San Diego.