SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   IPSec Vendors:   KAME Project
(NetBSD Issues Fix) KAME IPSec and IPSec Implementations in FreeBSD and NetBSD Fail to Apply the Security Policy Database to Inbound Forwarded Packets
SecurityTracker Alert ID:  1003804
SecurityTracker URL:  http://securitytracker.com/id/1003804
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 13 2002
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in KAME IPSec implementations of NetBSD and FreeBSD. When IPv4 packets are forwarded, the host fails to check the inbound IPSec policy as required.

It is reported that NetBSD, FreeBSD, and the KAME versions of NetBSD and FreeBSD fail to perform inbound policy checks on forwarded packets. This is reportedly in in violation of RFC 2401 sections 4.4.1 and 5.2.1 (steps 3 and 4).

A remote user could forward packets through an IPSec security gateway in a manner not consistent with the security policy such that the receiving security gateway will fail to apply the appropriate policy before forwarding the packet.

It is reported that the file src/sys/netinet/ip_input.c only performs the inbound Security Policy Database on packets for the host and not for packets destined for other hosts.

An example scenario is described in detail in the Source Message.

Impact:   A remote user could send a packet to a destination security gateway where the packet does not adhere to the receiving gateway's security policy but is forwarded by the receiving gateway, regardless of the policy.
Solution:   The vendor has released a fix:

If your system is affected, you must upgrade your kernel (/netbsd).

The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version.

* NetBSD-current:

Systems running NetBSD-current dated from before 2002-02-25 should be upgraded to NetBSD-current dated 2002-02-26 or later.

The following directories need to be updated from the netbsd-current CVS branch (aka HEAD):
sys/netinet/ip_input.c

To update from CVS, re-build, re-install the kernel and reboot:
% cd src
% cvs update -d -P sys/netinet


Then build and install a new kernel. If you are not familiar with this process, documentation is available at:

http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel


* NetBSD 1.5.1, 1.5.2:

Systems running NetBSD 1.5.1 or 1.5.2 sources dated from before 2002-02-25 should be upgraded from NetBSD 1.5.* sources dated 2002-02-26 or later.

NetBSD 1.5 is not vulnerable. NetBSD 1.5.3 will include the fix.

The following directories need to be updated from the netbsd-1-5 CVS branch:
sys/netinet/ip_input.c

To update from CVS, re-build, re-install the kernel, and reboot:

% cd src
% cvs update -d -P sys/netinet


Alternatively, apply the following patch (with potential offset differences):

ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-003-SPD-1.5.patch

To patch:

# cd src
# patch < /path/to/SA2002-003-SPD-1.5.patch


Then build and install a new kernel. If you are not familiar with this process, documentation is available at:

http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel

Vendor URL:  www.kame.net/ (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (NetBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 5 2002 KAME IPSec and IPSec Implementations in FreeBSD and NetBSD Fail to Apply the Security Policy Database to Inbound Forwarded Packets



 Source Message Contents

Subject:  NetBSD Security Advisory 2002-003: IPv4 forwarding doesn't consult inbound SPD



-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-003
		 =================================

Topic:		IPv4 forwarding doesn't consult inbound SPD

Version:	NetBSD-current:	source prior to Feb 26, 2002
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	not affected
		NetBSD-1.4.*:	not affected (no IPsec support)

Severity:	packets mistakenly go through VPN gateway

Fixed:		NetBSD-current:		Feb 26, 2002
		NetBSD-1.5 branch:	Feb 26, 2002 (1.5.3 will include the fix)


Abstract
========

There was a bug in the IPv4 forwarding path, and the inbound SPD
(security policy database) was not consulted on forwarding.  As a
result, NetBSD routers configured to be a VPN gateway failed to reject
unencrypted packets.

The problem affects NetBSD systems with the following configuration only:
- - an IPv4 router (forwards IPv4 packet, net.inet.ip.forwarding=1)
- - configured as VPN gateway (has tunnel-mode IPsec policy)


Technical Details
=================

http://online.securityfocus.com/archive/1/259598


Solutions and Workarounds
=========================

If your system is affected, you must upgrade your kernel (/netbsd).

The following instructions describe how to upgrade your kernel
by updating your source tree and rebuilding and installing a new version.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-02-25
	should be upgraded to NetBSD-current dated 2002-02-26 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		sys/netinet/ip_input.c

	To update from CVS, re-build, re-install the kernel and reboot:
		% cd src
		% cvs update -d -P sys/netinet


	Then build and install a new kernel. If you are not familiar
	with this process, documentation is available at:

		http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel


* NetBSD 1.5.1, 1.5.2:

	Systems running NetBSD 1.5.1 or 1.5.2 sources dated from
	before 2002-02-25 should be upgraded from NetBSD 1.5.*
	sources dated 2002-02-26 or later.

	NetBSD 1.5 is not vulnerable. NetBSD 1.5.3 will include the fix.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		sys/netinet/ip_input.c

	To update from CVS, re-build, re-install the kernel, and reboot:

		% cd src
		% cvs update -d -P sys/netinet


        Alternatively, apply the following patch (with potential offset
        differences):

                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-003-SPD-1.5.patch

        To patch:

                # cd src
                # patch < /path/to/SA2002-003-SPD-1.5.patch



	Then build and install a new kernel. If you are not familiar
	with this process, documentation is available at:

		http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel


Thanks To
=========

Greg Troxel and Bill Chiarchiaro

Jun-ichiro itojun Hagino for patches, and preparing advisory text.


Revision History
================

	2002-03-11	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-003.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-003.txt,v 1.5 2002/03/12 16:49:16 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPI4yFD5Ru2/4N2IFAQGd6gP/VrivjrjqlvdAratqXGfv4TDRGHjnYzbh
Giptuvn6TiEI/pLx4n9f5zd8BHr+1qITVlm9WNJkHTbnw+nLCQQAGR6Hwv/LwIX2
16Eb+ogWQnRPm8CyF/YzZyFzMMYKAWnI8ZMYVg2yXjNzbA8xtEcJL1vOxpCZYM9/
bJ/EpJ6V6F0=
=4VSK
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC