I recently installed  Checkpoint VPN-1 SecureClient software onto a system running XP SP3 with ZoneAlram Extreme Security installed. After running into an issues where WinSCP would run at 100% CPU utilization I decided to investigate. My initial investigation led me to deciding to remove the VPN-1 SecureClient. This was to prove to be a nightmare exercise. I removed the client or so I thought after uninstalling it and rebooted.

I then started getting an issue with BSOD DRIVER_IRQ_NOT_LESS_OR_EQUAL and the vdatant.sys was apparently the culprit. I ended pointed to a couple of notes suggesting this was Zone Alarm. Easy enough I think just uninstall ZoneAlarm and reinstall it. No not quite, still getting these BSOD.

Of to do some more research and I come across a note to use Cpclean to get rid of VPN-1. No problems nice to have a clean up tool. Ran it said it was going to remove some registry keys, good I thought. Ran WnSCP and nope still not right 100CPU, it seems this was due to excessive packet inspection. Saga continues, ok remove ZoneAlarm again, ran CPClean still a problem. Yes I now had no network connection at all. The VPN-1 software had trashed my network stack.

Decided to install some diagnostics and they wanted to have some Windows Network tools SNMP installed. I tried to do that but I don’t have a copy of SP3 that it wanted.  Now I had a problem, I was not sure if I had just reinstalled a SP2 or SP1 version file and I was now getting random lockups. I grabbed some software on my MAC latest Drivers for this Network card and reinstalled the software and yeah I was back online but still unstable, I was getting random lockups.

Next step I did some research could I get my machine back to a state of having SP3 with all the latest updates. Oh yeah I found WindowsUpdateDownloader. Cool, wonderful tool I could now download all SP for my machine since SP3, I reinstalled SP3 and then downloaded all the windows updates and chronologically reinstalled them, about 60 or so. Well it looks like stability had returned. I then proceeded to run CPclean again and it said there were a few keys there for Checkpoint. Next I manually searched and removed from the registry any  remnants of the Checkpoint VPN-1 Software and SecureClient, a few different keyword searches uncovered the majority and  cleaned it out.

So no I felt my system was stable and Checkpoint VPN was gone, so test again and see if WinSCP either caused BSOD or caused high CPU. Yeah!! No issues present, file transferred normally and the system seemed OK. Next trick reinstall ZoneAlarm. Pretty straightforward its key with the license was still present so it automatically got going and after a couple of days it seems well again.

Clearly there should be a huge Warning from Checkpoint about installing its VPN software on the same OS that is running ZoneAlarm. Surely they test that sort of stuff.

Moral of the story you cant run VPN-1 on a system running ZoneAlarm if you have a need look into using VM’s to do the dirty work then you have the choice of having  a VPN-1 VM for that site.

 

All is good now so I am happy again but it lost me close to three days of full productivity cleaning up and reinstalling to rid the issues.

 

See ya round

 

Peter

 

 

 

Just having a look through the CPU for July and the first item CVE-2009-1020,  makes this CPU very important to Windows hosted databases. The Windows installation method for Oracle products that requires Administrator Group privileges means this bug provides an attack vector which through this attack you can compromise the entire server, a not so nice proposition. The impact on this is not so bad for Unix and Linux, as a total compromise of the database is not possible and therefore there is less impact. As Oracle runs under user non root privilege accounts on Unix and Linux, you avoid the potential complete compromise of a server at the same time. Other problems addressed in the patchset  are not as bad, as none create a full compromise. One worrying aspect is most are of Low access complexity or to put it simply are easy to implement to set up an attack. CVE-2009-1019 is of concern as it is remotely exploitable without authentication. CVE-2009-1019 also breaks all aspects of CIA for the database, however it is only a partial compromise across the board.

For those of you interested in developing you security knowledge further then going and reading about the CVSS program is worthwhile, as it allows you to provide a better assessment to the problems and their impact on the databases and other products you manage for your organisation.

Recommendation: Update your databases to  apply this CPU

With Application Server the items are a little lower, however they are both remote attacks without authentication, one compromises the HTTP server and the other impacts security tools. Neither are of a high degree of difficulty to implement an attack.

Once again as the HTTP server is a front line device it is important to update that as the vulnerability may be used more creatively than expected by Oracle and the security analysts have envisaged. Recommendation: Patch and update

I don’t work presently with E-Biz and Peoplesoft, so i wont comment other than to say since you already now have a need to patch your Oracle database and your application server then you should review and apply the patches across the board

From teh BEA technologies the JRockit vulnerability is derived from a number of Java bugs, Sun has provided data on this, if you use JRockit for public facing systems this is a critical patch to address. The 10 rating along with that an entire compromise is worrying. Some will already have applied the Sun patches and have avoided some or all the issues addressed in this patch.

Recommendation: Upgrade now

That has made for an interesting bundle this quarter, so happy patching.

See ya round

Peter

For those of you that follow the daily sagas of the MPAA and RIAA, you have heard of there attempts to shutdown file sharing systems. They have had some successes and a lot of battles, I am not sure they are any closer to solving the problems they have created for themselves with over priced music, region encoding, staged delivery of content and so on. The internet has caused them great headaches to try and maintain this regime. Read the rest of this entry »