SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#459371

Multiple IPsec implementations do not adequately validate authentication data

Overview

IPsec implementations from multiple vendors do not adequately validate the authentication data in IPsec packets, exposing vulnerable systems to a denial of service.

I. Description

For background:
  • RFC 2401 Security Architecture for the Internet Protocol
  • RFC 2402 IP Authentication Header
  • RFC 2406 IP Encapsulating Security Payload
IPsec supports integrity and authentication for IP traffic by including a cryptographic checksum in each IPsec datagram. This authentication data is compared to the Integrity Check Value (ICV) that is calculated by the recipient. If the values match, the datagram is considered valid.

BindView RAZOR has reported a vulnerability that exists in KAME (FreeBSD, NetBSD), FreeS/WAN (Linux), and possibly other IPsec implementations. While processing an IPsec datagram, vulnerable implementations do not properly calculate the length of the authentication data field for very small datagrams, resulting in an unsigned integer overflow. The ICV is then calculated for an overly large range of memory, which could cause a kernel panic on vulnerable systems.

KAME, FreeBSD, and NetBSD are vulnerable due to the way they handle Encapsulating Security Payload (ESP) datagrams.

II. Impact

A remote attacker could crash a vulnerable system with a specially crafted IPsec packet. The attacker would need to supply the source and destination IP addresses, the Security Parameters Index (SPI), and a suitably large sequence number. All of this information is transmitted in plain text.

III. Solution

Upgrade or Apply a Patch

Upgrade or apply a patch as specified by your vendor(s).

Restrict Access

When possible, restrict access to IPsec hosts and gateways. Note that this will not prevent attacks, it will only limit the number of potential sources.

Systems Affected

VendorStatusDate NotifiedDate Updated
AlcatelNot Vulnerable15-Oct-2002
Apple Computer Inc.Vulnerable15-Oct-2002
AvayaNot Vulnerable11-Dec-2002
BorderwareNot Vulnerable18-Oct-2002
Cisco Systems Inc.Not Vulnerable21-Oct-2002
ClavisterNot Vulnerable22-Aug-2002
ConectivaUnknown29-Aug-2002
Cray Inc. Not Vulnerable15-Oct-2002
Data GeneralUnknown29-Aug-2002
DebianVulnerable11-Dec-2002
eSoftVulnerable15-Oct-2002
Extreme NetworksUnknown15-Oct-2002
F-SecureUnknown29-Aug-2002
FreeBSDVulnerable15-Oct-2002
FreeS/WANVulnerable2-Dec-2002
FujitsuUnknown29-Aug-2002
Global Technology AssociatesVulnerable17-Oct-2002
Guardian Digital Inc. Unknown29-Aug-2002
Hewlett-Packard CompanyNot Vulnerable15-Oct-2002
HitachiNot Vulnerable15-Oct-2002
IBMVulnerable11-Dec-2002
Internet Initiative Japan (IIJ)Vulnerable11-Dec-2002
IntotoNot Vulnerable18-Oct-2002
Juniper NetworksUnknown29-Aug-2002
KAME ProjectVulnerable15-Oct-2002
LucentNot Vulnerable15-Oct-2002
MandrakeSoftUnknown29-Aug-2002
Microsoft CorporationNot Vulnerable17-Oct-2002
MontaVista Software Not Vulnerable21-Oct-2002
NEC CorporationVulnerable11-Dec-2002
NetBSDVulnerable22-Oct-2002
NetScreenNot Vulnerable29-Aug-2002
Network ApplianceNot Vulnerable15-Oct-2002
Network AssociatesUnknown29-Aug-2002
NeXTUnknown29-Aug-2002
NISTUnknown29-Aug-2002
Nortel NetworksNot Vulnerable11-Dec-2002
NovellUnknown11-Dec-2002
OpenBSDUnknown29-Aug-2002
Openwall GNU/*/Linux Not Vulnerable21-Oct-2002
PGPUnknown29-Aug-2002
Red Hat Inc.Unknown29-Aug-2002
SafeNetNot Vulnerable15-Oct-2002
SequentUnknown29-Aug-2002
SGIUnknown29-Aug-2002
Sony CorporationUnknown29-Aug-2002
SSH Communications SecurityNot Vulnerable11-Dec-2002
Sun Microsystems Inc.Not Vulnerable29-Aug-2002
SuSE Inc. Unknown29-Aug-2002
The SCO Group (SCO Linux)Unknown29-Aug-2002
UnisysUnknown29-Aug-2002
Wind River Systems Inc.Unknown29-Aug-2002

References


http://razor.bindview.com/publish/advisories/adv_ipsec.html
http://www.ietf.org/rfc/rfc2401.txt
http://www.ietf.org/rfc/rfc2402.txt
http://www.ietf.org/rfc/rfc2406.txt

Credit

The CERT/CC thanks Todd Sabin of BindView RAZOR for discovering and reporting this issue.

This document was written by Art Manion.

Other Information

Date Public:2002-10-17
Date First Published:2002-10-17
Date Last Updated:2003-01-06
CERT Advisory: 
CVE-ID(s):CAN-2002-0666
NVD-ID(s):CAN-2002-0666
US-CERT Technical Alerts: 
Metric:5.14
Document Revision:24

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader