IPsec implementations from multiple vendors do not adequately validate the authentication data in IPsec packets, exposing vulnerable systems to a denial of service.
BindView RAZOR has reported a vulnerability that exists in KAME (FreeBSD, NetBSD), FreeS/WAN (Linux), and possibly other IPsec implementations. While processing an IPsec datagram, vulnerable implementations do not properly calculate the length of the authentication data field for very small datagrams, resulting in an unsigned integer overflow. The ICV is then calculated for an overly large range of memory, which could cause a kernel panic on vulnerable systems.
KAME, FreeBSD, and NetBSD are vulnerable due to the way they handle Encapsulating Security Payload (ESP) datagrams.
A remote attacker could crash a vulnerable system with a specially crafted IPsec packet. The attacker would need to supply the source and destination IP addresses, the Security Parameters Index (SPI), and a suitably large sequence number. All of this information is transmitted in plain text.
Apple Computer Inc. Affected
Global Technology Associates Affected
Internet Initiative Japan (IIJ) Affected
KAME Project Affected
NEC Corporation Affected
Alcatel Not Affected
Avaya Not Affected
Borderware Not Affected
Cisco Systems Inc. Not Affected
Clavister Not Affected
Cray Inc. Not Affected
Hewlett-Packard Company Not Affected
Hitachi Not Affected
Intoto Not Affected
Lucent Not Affected
Microsoft Corporation Not Affected
MontaVista Software Not Affected
NetScreen Not Affected
Network Appliance Not Affected
Nortel Networks Not Affected
Openwall GNU/*/Linux Not Affected
SSH Communications Security Not Affected
SafeNet Not Affected
Sun Microsystems Inc. Not Affected
Data General Unknown
Extreme Networks Unknown
Guardian Digital Inc. Unknown
Juniper Networks Unknown
Network Associates Unknown
Red Hat Inc. Unknown
Sony Corporation Unknown
SuSE Inc. Unknown
The SCO Group (SCO Linux) Unknown
Wind River Systems Inc. Unknown
The CERT/CC thanks Todd Sabin of BindView RAZOR for discovering and reporting this issue.
This document was written by Art Manion.
|Date First Published:||2002-10-17|
|Date Last Updated:||2003-01-06 21:56 UTC|