[41655] in bugtraq
Re: [ GLSA 200512-04 ] Openswan, IPsec-Tools: Vulnerabilities in ISAK MP Protocol implementation
daemon@ATHENA.MIT.EDU (VANHULLEBUS Yvan)
Wed Dec 14 19:14:21 2005
Date: Wed, 14 Dec 2005 11:24:37 +0100
From: VANHULLEBUS Yvan <yvan.vanhullebus@netasq.com>
To: Paul Wouters <paul@xelerance.com>
Cc: Thierry Carrez <koon@gentoo.org>, gentoo-announce@lists.gentoo.org,
bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk,
security-alerts@linuxsecurity.com
Message-ID: <20051214102437.GA77994@yvan.netasq.int>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="45Z9DzgjV8m4Oswq"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.63.0512132146180.12269@newpack.xtdnet.nl>
--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Dec 13, 2005 at 09:49:40PM +0100, Paul Wouters wrote:
> On Mon, 12 Dec 2005, Thierry Carrez wrote:
>=20
> >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> >Gentoo Linux Security Advisory GLSA 200512-04
> >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > http://security.gentoo.org/
> >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> >
> > Severity: Normal
> > Title: Openswan, IPsec-Tools: Vulnerabilities in ISAKMP Protocol
> > implementation
> > Date: December 12, 2005
> > Bugs: #112568, #113201
> > ID: 200512-04
>=20
> >Openswan and IPsec-Tools suffer from an implementation flaw which may
> >allow a Denial of Service attack.
>=20
> That is correct (for openswan)
It is also correct for ipsec-tools, but require a very weak
configuration.
> >Impact
> >=3D=3D=3D=3D=3D=3D
> >
> >A remote attacker can create a specially crafted packet using 3DES with
> >an invalid key length, resulting in a Denial of Service attack, format
> >string vulnerabilities or buffer overflows.
>=20
> That's a copy and paste from the IPsec proto testsuite.
>=20
> 1) It conflicts with the above comment that this is only a DOS
> 2) It's incorrect (for openswan)
Also incorrect for ipsec-tools AFAIK. The only problem we noticed with
protos testsuite was a lack of verification for some payloads
existency in aggressive mode.
> >Workaround
> >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> >Avoid using "aggressive mode" in ISAKMP Phase 1, which exchanges
> >information between the sides before there is a secure channel.
>=20
> In fact, you would to both have aggressive mode enabled AND know the PSK.
> If you have those two enabled, you are vulnerable to a MITM anyway, since
> any client knowing the PSK can pretend to be the IPsec security gateway.
Knowing the PSK is not really needed, as AGGRESSIVE+PSK mode is known
to be quite unsecure, and can be bruteforced offline.
The "workaround" for ipsec-tools is to upgrade, and is only needed for
some people which really have a week configuration and should care
about lots of potential problems !
Yvan, ipsec-tools team.
--=20
NETASQ - Secure Internet Connectivity
http://www.netasq.com
--45Z9DzgjV8m4Oswq
Content-Type: application/x-pkcs7-signature
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64
MIINPQYJKoZIhvcNAQcCoIINLjCCDSoCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
CokwggZ/MIIFZ6ADAgECAgpwxrFIFmvykFosMA0GCSqGSIb3DQEBBAUAMIGRMQswCQYDVQQG
EwJGUjENMAsGA1UECBMETm9yZDEaMBgGA1UEBxMRVmlsbGVuZXV2ZSBkJ0FzY3ExLjAsBgNV
BAoTJU5FVEFTUSAtIFNlY3VyZSBJbnRlcm5ldCBDb25uZWN0aXZpdHkxJzAlBgNVBAsTHk5F
VEFTUSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNTA3MTUxNDQ0NDNaFw0wNzA3MTUx
NDQ0NDNaMIHYMQswCQYDVQQGEwJGUjENMAsGA1UECBMETm9yZDEuMCwGA1UEChMlTkVUQVNR
IC0gU2VjdXJlIEludGVybmV0IENvbm5lY3Rpdml0eTEnMCUGA1UECxMeTkVUQVNRIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MRowGAYDVQQHExFWaWxsZW5ldXZlIGQnQXNjcTEZMBcGA1UE
AxMQeXZhbiBWQU5IVUxMRUJVUzEqMCgGCSqGSIb3DQEJARYbeXZhbi52YW5odWxsZWJ1c0Bu
ZXRhc3EuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt0quG0Q0oe+uM8lT
HAklvpFArPSxUE8qM+NzfqOUaMaAI9/+Zg1kFOSrcYYRnB0R7ZGj9H+wk92l6+9jdOJx+1cG
9wwhCzTFuN1qxiznhXtryOwZ9vZswnAJXH3b0R0hL0CUsv54KWGsZIDI72KHrEx/KThY7iU7
AMq8/MqGGjSixXzhm89ybWm4N36dWRJvyT3oHFRREDLhGhherC+FJPied4FwIjth7worVD9m
SVAPgp0WHpAhMqVe4vp4bJvpT9Qrv38cccfEiaaFaUvOCSF7h5gXy6F+D7xV/3adGqAwZ3sI
o1qN4SijkaI6uqbUP+zslX3t78qHSc7HWhVm4QIDAQABo4ICjjCCAoowDAYDVR0TAQH/BAIw
ADAdBgNVHQ4EFgQU/CR/mkkP1k1mu7ApVahPzBnqdJowgb4GA1UdIwSBtjCBs4AUJyrrHdlE
2joXc2oJICDJJaj5f7KhgZekgZQwgZExCzAJBgNVBAYTAkZSMQ0wCwYDVQQIEwROb3JkMRow
GAYDVQQHExFWaWxsZW5ldXZlIGQnQXNjcTEuMCwGA1UEChMlTkVUQVNRIC0gU2VjdXJlIElu
dGVybmV0IENvbm5lY3Rpdml0eTEnMCUGA1UECxMeTkVUQVNRIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5ggEAMA4GA1UdDwEB/wQEAwIF4DARBglghkgBhvhCAQEEBAMCBaAwKwYJKwYBBAGC
NxQCBB4eHABTAG0AYQByAHQAYwBhAHIAZABMAG8AZwBvAG4wLAYDVR0lAQH/BCIwIAYIKwYB
BQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3FAICMCsGA1UdEQQkMCKgIAYKKwYBBAGCNxQCA6AS
DBB5dmFudkBuZXRhc3EuY29tMIHNBgNVHR8EgcUwgcIwWqBYoFaGVGxkYXA6Ly9wa2kubmV0
YXNxLmNvbS9jbj1md2NhLG91PWNhcyxvPW5ldGFzcSxkYz1mcj9jZXJ0aWZpY2F0ZVJldm9j
YXRpb25MaXN0O2JpbmFyeTA4oDagNIYyaHR0cDovL2ludHJhbmV0Lm5ldGFzcS5jb20vaW50
cmFuZXQvcGtpL25ldGFzcS5jcmwwKqAooCaGJGh0dHA6Ly93d3cubmV0YXNxLmNvbS9wa2kv
bmV0YXNxLmNybDAfBglghkgBhvhCAQ0EEhYQVXNlciBDZXJ0aWZpY2F0ZTANBgkqhkiG9w0B
AQQFAAOCAQEAMlfufwmHT/3KRXLIx0jcRwT9bOboCGMQrI7xK/kk9t0jvGm3KTlVN2uuZ0Hk
VU2QWqw6hPPoc1mclOPPWfNW4DHGafbIAqritDMoAtwCe7BkeZFaTRcigrnNJhyIjlfTHrrF
Pz8Iul+ZugtAV8gCrpMPrF/RUJ2wgvUiBrp/1zhTZ0WMini5KK/MEiWgvZKHq0Y4riD9Sw5L
84TbPcwQmHG4aQhsKkTNC9S80qurRVmTre+Qo68fzGXznPsSU/atH0OCIka3KYcJmrnoFosh
0fuWOhKRTDfcTVarpCFhFiNvg8gxUxi9kdI2m/u2h7zEYvEH89G4HQ6NFBNvh0XfjjCCBAIw
ggLqoAMCAQICAQAwDQYJKoZIhvcNAQEEBQAwgZExCzAJBgNVBAYTAkZSMQ0wCwYDVQQIEwRO
b3JkMRowGAYDVQQHExFWaWxsZW5ldXZlIGQnQXNjcTEuMCwGA1UEChMlTkVUQVNRIC0gU2Vj
dXJlIEludGVybmV0IENvbm5lY3Rpdml0eTEnMCUGA1UECxMeTkVUQVNRIENlcnRpZmljYXRp
b24gQXV0aG9yaXR5MB4XDTAyMDIxOTEyMzQ1NVoXDTIyMDIxNDEyMzQ1NVowgZExCzAJBgNV
BAYTAkZSMQ0wCwYDVQQIEwROb3JkMRowGAYDVQQHExFWaWxsZW5ldXZlIGQnQXNjcTEuMCwG
A1UEChMlTkVUQVNRIC0gU2VjdXJlIEludGVybmV0IENvbm5lY3Rpdml0eTEnMCUGA1UECxMe
TkVUQVNRIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAwYBPi3ref6t0tuJMoj5R4H7sa+WMSZwDh4XHjZV5e6P6LObyrleC6oNFDZJr
gBtKk9Swzfnnf4m3xc0QS9kKCPLFwLpmIK3RCx0K4YYi+uBrrL347kH4UPfrI6KvrYcFpG3Y
wFZUK+7LZn/Y9HSB6n4gvdiCk7cmkuFr1ifFtDYZqktNUss9yQCPqh0d9dXfuhRV8vyggvVk
cfTZcCyVpRaDYaDm0j30Urba62KsKxfh6cEAt6kmPUxviGVaoEiiaABDZVSu6PjS17qDcZaQ
zlnwhLacKyM1zR7+lvfFR03/h6m8JYGBPMP7zccH2uJfufh+Of3AvOfCFZFcNhzHCwIDAQAB
o2MwYTAdBgNVHQ4EFgQUJyrrHdlE2joXc2oJICDJJaj5f7IwHwYDVR0jBBgwFoAUJyrrHdlE
2joXc2oJICDJJaj5f7IwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZI
hvcNAQEEBQADggEBAJclqFN/WqYmhcZlXabrw6KJQNq/TK6TLDHzwZVcyjn0QhujHRr+EcVp
aE1pIS4fjsywzpINE3fe9DSlC4IzyeqDq3EtM4eQDSXm4YRGLZp8X2M5TdccmxlElDgZzlVX
MOlo/Ehhh4vqzSbc1M4FEfETiEV+vLX5MaWEHH8dmzlEL632mOme19QJN6BQKJPmCCj1VbxJ
DrJSpF01kXFJUtyrA0ilrEG0mA+FLFjfsWuZXzYEPjv1/FIPMlSnCCiW8ZSzwstQX2BhLEi0
ugZJRpakVMY/TkdoLEErYt0mjZD+d/oXFR7QNzMxAHpDEPmlZRotP1W7sO6kpBP7lyh/Yc4x
ggJ8MIICeAIBATCBoDCBkTELMAkGA1UEBhMCRlIxDTALBgNVBAgTBE5vcmQxGjAYBgNVBAcT
EVZpbGxlbmV1dmUgZCdBc2NxMS4wLAYDVQQKEyVORVRBU1EgLSBTZWN1cmUgSW50ZXJuZXQg
Q29ubmVjdGl2aXR5MScwJQYDVQQLEx5ORVRBU1EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkC
CnDGsUgWa/KQWiwwCQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
CSqGSIb3DQEJBTEPFw0wNTEyMTQxMDI0MzdaMCMGCSqGSIb3DQEJBDEWBBSEMRdnv0wgtOcG
qq1H5O4dZjHsNDBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIA
gDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEF
AASCAQCeZfrtYJjKyifqwTa/tHkUXbuYVsq+e/Q92KduDDLqcj/jZweCPNH/Udby+EWFfFv4
YHslFmqjODLifmr0N7A9gbua5UEtGjPBq434YRd065Rh5rw+RLqm83YTwaQyhMHZk/6Ctf/m
7POMtnRVRQCoip+0MfaZuzNsLyM8HJ9BthsVVr13sqIhTOJfKwzD0CNwHMhMzUF2+zqR7UnK
pmdBphY8v2VjJBdbyICW4nO48binbf0cZwV+1kq5WONK7jQ1GO3aBVpyxB65cD9Uw+rizZQ7
hh5a8HDFIvBZOFHKciQgjS3HvdCAV0zalkLYUHjXy4FWS3dDf0eQTMZEhQpk
--45Z9DzgjV8m4Oswq--
