OpenBSD isakmpd Error Lets Remote Users Bypass the Replay Protection
|
|
SecurityTracker Alert ID: 1016757
|
|
SecurityTracker URL: http://securitytracker.com/id?1016757
|
|
CVE Reference: CVE-2006-4436
(Links to External Site)
|
Updated: Jun 8 2008
|
Original Entry Date: Aug 25 2006
|
Impact: Modification of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: OpenBSD Errata
|
Description: A vulnerability was reported in isakmpd on OpenBSD. A remote user can bypass IPSec packet replay protection.
When isakmpd(8) acts as responder during security assocation (SA) negotiation, SA's with a replay window of size 0 may be created.
This allows a remote user with the ability to sniff IPSec packets to reinject those packets without the replay being detected.
|
Impact: A remote user may be able to bypass the replay protection in certain cases.
|
Solution: OpenBSD has issued the following fixes:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/008_isakmpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/013_isakmpd.patch
|
Vendor URL: www.openbsd.org/ (Links to External Site)
|
Cause: State error
|
Underlying OS: UNIX (OpenBSD)
|
Underlying OS Comments: 3.8, 3.9
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 25 Aug 2006 15:57:59 -0400
Subject: OpenBSD vulnerability
|
SECURITY FIX: August 25, 2006 All architectures
A problem in isakmpd(8) caused IPsec to run partly without replay protection. If
isakmpd(8) was acting as responder during SA negotiation, SA's with a replay window of
size 0 were created. An attacker could reinject sniffed IPsec packets, which will be
accepted without checking the replay counter.
A source code patch exists which remedies this problem.
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/008_isakmpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/013_isakmpd.patch
|
|
