IPsec implementations from multiple vendors do not adequately validate the authentication data in IPsec packets, exposing vulnerable systems to a denial of service.
BindView RAZOR has reported a vulnerability that exists in KAME (FreeBSD, NetBSD), FreeS/WAN (Linux), and possibly other IPsec implementations. While processing an IPsec datagram, vulnerable implementations do not properly calculate the length of the authentication data field for very small datagrams, resulting in an unsigned integer overflow. The ICV is then calculated for an overly large range of memory, which could cause a kernel panic on vulnerable systems.
KAME, FreeBSD, and NetBSD are vulnerable due to the way they handle Encapsulating Security Payload (ESP) datagrams.
A remote attacker could crash a vulnerable system with a specially crafted IPsec packet. The attacker would need to supply the source and destination IP addresses, the Security Parameters Index (SPI), and a suitably large sequence number. All of this information is transmitted in plain text.
The CERT/CC thanks Todd Sabin of BindView RAZOR for discovering and reporting this issue.
This document was written by Art Manion.
|Date First Published:||2002-10-17|
|Date Last Updated:||2003-01-06 21:56 UTC|