Security update for Novell's BorderManager
Novell has released an update for its BorderManager VPN software that eliminates a denial of service flaw. Several other improvements that increase security have also been added in as part of measures to achieve recertification based on the ICSA guidelines.
Prior to the patch, attackers from the net could use specific IKE and IPSec settings to initiate a denial of service attack on BorderManager. To satisfy the ICSA guidelines, Novell had to improve the algorithm that creates random numbers for responder cookies. To achieve renewal of their certification, the manufacturer also had to fine tune the handling of the Security Associations (SA) for the IPSec quick mode, which allows IPSec with dynamic IPs.
The ICSA guidelines incorporate portions of the Common Criteria, among other items. The certification process is actually more affordable than other tests that software must pass before being used by organisations like civil authorities.
The update presumes the installation of Service Pack 4 for BorderManager 3.8. Users of BorderManager are encouraged to apply the patch as soon as possible.
- BorderManager 3.8 POST SP4 Security Patch1, Advisory with download from Novell