Stormshield Network VPN Client

CVSS v3.1 Overall Score: 5.3      

Analysis

Impacted version

During the IKEv2 Authentication phase, the VPN client accepts malformed ECDSA signatures and establishes the tunnel.

• Stormshield VPN Client Standard 6.87 and earlier
• Stormshield VPN Client Exclusive 7.5 and earlier

Workaround solution

Solution

There is no workaround solution.

• For Stormshield VPN Client Standard use the patch “Patch VULN EC IS 1992.zip“
• For Stormshield VPN Client Exclusive use the patch “Patch EC VULN IS 1986.zip“

The installation and patch verification procedures:

Installation Procedure:

• Download the patch from https://mystormshield.eu/
• Close the VPN client.
• Rename the file “C:\Program Files\Stormshield\Network VPN Client\TgbIkeNg.exe” to “TgbIkeNg.old”.
• Copy the new “TgbIkeNg.exe” file from the zip file into the same folder.
• Restart the VPN client.

To ensure the patch has been applied correctly:

• For Stormshield VPN Client Standard : After installing the patch, check that the version of the “TgbIkeNg.exe” file has changed from 6.8.7.011 to 6.8.7.012 by going to the “About” menu.
• For Stormshield VPN Client Exclusive : After the patch installation, ensure that the version of the “TgbIkeNg.exe” file has updated from 7.5.007 to 7.5.1.009 by accessing the “About” menu.