[41627] in bugtraq
Re: [ GLSA 200512-04 ] Openswan, IPsec-Tools: Vulnerabilities in
daemon@ATHENA.MIT.EDU (Paul Wouters)
Tue Dec 13 16:24:45 2005
Date: Tue, 13 Dec 2005 21:49:40 +0100 (CET)
From: Paul Wouters <paul@xelerance.com>
To: Thierry Carrez <koon@gentoo.org>
Cc: gentoo-announce@lists.gentoo.org, bugtraq@securityfocus.com,
full-disclosure@lists.grok.org.uk, security-alerts@linuxsecurity.com
In-Reply-To: <439D8C37.10802@gentoo.org>
Message-ID: <Pine.LNX.4.63.0512132146180.12269@newpack.xtdnet.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-xtdnet-MailScanner-From: paul@xelerance.com
On Mon, 12 Dec 2005, Thierry Carrez wrote:
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Gentoo Linux Security Advisory GLSA 200512-04
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Severity: Normal
> Title: Openswan, IPsec-Tools: Vulnerabilities in ISAKMP Protocol
> implementation
> Date: December 12, 2005
> Bugs: #112568, #113201
> ID: 200512-04
> Openswan and IPsec-Tools suffer from an implementation flaw which may
> allow a Denial of Service attack.
That is correct (for openswan)
> Impact
> ======
>
> A remote attacker can create a specially crafted packet using 3DES with
> an invalid key length, resulting in a Denial of Service attack, format
> string vulnerabilities or buffer overflows.
That's a copy and paste from the IPsec proto testsuite.
1) It conflicts with the above comment that this is only a DOS
2) It's incorrect (for openswan)
> Workaround
> ==========
>
> Avoid using "aggressive mode" in ISAKMP Phase 1, which exchanges
> information between the sides before there is a secure channel.
In fact, you would to both have aggressive mode enabled AND know the PSK.
If you have those two enabled, you are vulnerable to a MITM anyway, since
any client knowing the PSK can pretend to be the IPsec security gateway.
Paul
