Vulnerability Note VU#459371
Multiple IPsec implementations do not adequately validate authentication data
IPsec implementations from multiple vendors do not adequately validate the authentication data in IPsec packets, exposing vulnerable systems to a denial of service.
BindView RAZOR has reported a vulnerability that exists in KAME (FreeBSD, NetBSD), FreeS/WAN (Linux), and possibly other IPsec implementations. While processing an IPsec datagram, vulnerable implementations do not properly calculate the length of the authentication data field for very small datagrams, resulting in an unsigned integer overflow. The ICV is then calculated for an overly large range of memory, which could cause a kernel panic on vulnerable systems.
KAME, FreeBSD, and NetBSD are vulnerable due to the way they handle Encapsulating Security Payload (ESP) datagrams.
A remote attacker could crash a vulnerable system with a specially crafted IPsec packet. The attacker would need to supply the source and destination IP addresses, the Security Parameters Index (SPI), and a suitably large sequence number. All of this information is transmitted in plain text.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer Inc.||Affected||20 Aug 2002||15 Oct 2002|
|Debian||Affected||20 Aug 2002||11 Dec 2002|
|eSoft||Affected||10 Oct 2002||15 Oct 2002|
|FreeBSD||Affected||20 Aug 2002||15 Oct 2002|
|FreeS/WAN||Affected||20 Aug 2002||02 Dec 2002|
|Global Technology Associates||Affected||-||17 Oct 2002|
|IBM||Affected||20 Aug 2002||11 Dec 2002|
|Internet Initiative Japan (IIJ)||Affected||15 Oct 2002||11 Dec 2002|
|KAME Project||Affected||20 Aug 2002||15 Oct 2002|
|NEC Corporation||Affected||20 Aug 2002||11 Dec 2002|
|NetBSD||Affected||20 Aug 2002||22 Oct 2002|
|Alcatel||Not Affected||21 Aug 2002||15 Oct 2002|
|Avaya||Not Affected||21 Aug 2002||11 Dec 2002|
|Borderware||Not Affected||10 Oct 2002||18 Oct 2002|
|Cisco Systems Inc.||Not Affected||20 Aug 2002||21 Oct 2002|
CVSS Metrics (Learn More)
The CERT/CC thanks Todd Sabin of BindView RAZOR for discovering and reporting this issue.
This document was written by Art Manion.
- CVE IDs: CAN-2002-0666
- Date Public: 17 Oct 2002
- Date First Published: 17 Oct 2002
- Date Last Updated: 06 Jan 2003
- Severity Metric: 5.14
- Document Revision: 24
If you have feedback, comments, or additional information about this vulnerability, please send us email.