Vulnerability Note VU#459371

Multiple IPsec implementations do not adequately validate authentication data

Original Release date: 17 Oct 2002 | Last revised: 06 Jan 2003

Overview

IPsec implementations from multiple vendors do not adequately validate the authentication data in IPsec packets, exposing vulnerable systems to a denial of service.

Description

For background:

  • RFC 2401 Security Architecture for the Internet Protocol
  • RFC 2402 IP Authentication Header
  • RFC 2406 IP Encapsulating Security Payload
IPsec supports integrity and authentication for IP traffic by including a cryptographic checksum in each IPsec datagram. This authentication data is compared to the Integrity Check Value (ICV) that is calculated by the recipient. If the values match, the datagram is considered valid.

BindView RAZOR has reported a vulnerability that exists in KAME (FreeBSD, NetBSD), FreeS/WAN (Linux), and possibly other IPsec implementations. While processing an IPsec datagram, vulnerable implementations do not properly calculate the length of the authentication data field for very small datagrams, resulting in an unsigned integer overflow. The ICV is then calculated for an overly large range of memory, which could cause a kernel panic on vulnerable systems.

KAME, FreeBSD, and NetBSD are vulnerable due to the way they handle Encapsulating Security Payload (ESP) datagrams.

Impact

A remote attacker could crash a vulnerable system with a specially crafted IPsec packet. The attacker would need to supply the source and destination IP addresses, the Security Parameters Index (SPI), and a suitably large sequence number. All of this information is transmitted in plain text.

Solution


Upgrade or Apply a Patch

Upgrade or apply a patch as specified by your vendor(s).


Restrict Access

When possible, restrict access to IPsec hosts and gateways. Note that this will not prevent attacks, it will only limit the number of potential sources.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected20 Aug 200215 Oct 2002
DebianAffected20 Aug 200211 Dec 2002
eSoftAffected10 Oct 200215 Oct 2002
FreeBSDAffected20 Aug 200215 Oct 2002
FreeS/WANAffected20 Aug 200202 Dec 2002
Global Technology AssociatesAffected-17 Oct 2002
IBMAffected20 Aug 200211 Dec 2002
Internet Initiative Japan (IIJ)Affected15 Oct 200211 Dec 2002
KAME ProjectAffected20 Aug 200215 Oct 2002
NEC CorporationAffected20 Aug 200211 Dec 2002
NetBSDAffected20 Aug 200222 Oct 2002
AlcatelNot Affected21 Aug 200215 Oct 2002
AvayaNot Affected21 Aug 200211 Dec 2002
BorderwareNot Affected10 Oct 200218 Oct 2002
Cisco Systems Inc.Not Affected20 Aug 200221 Oct 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Todd Sabin of BindView RAZOR for discovering and reporting this issue.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2002-0666
  • Date Public: 17 Oct 2002
  • Date First Published: 17 Oct 2002
  • Date Last Updated: 06 Jan 2003
  • Severity Metric: 5.14
  • Document Revision: 24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.