SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   IPSec Vendors:   Apple, eSoft, FreeBSD, FreeS/WAN Project, Global Technology Associates, Internet Initiative Japan, KAME Project, NEC Corporation, NetBSD
Several IPSec Implementations Can Be Crashed By Remote Users Sending Specially Crafted Packets
SecurityTracker Alert ID:  1005448
SecurityTracker URL:  http://securitytracker.com/id/1005448
CVE Reference:   CVE-2002-0666   (Links to External Site)
Date:  Oct 18 2002
Impact:   Denial of service via network


Description:   A vulnerability was reported in several IPsec implementations. A remote user could cause a denial of service condition.

CERT reported that a vulnerability exists in KAME (FreeBSD, NetBSD), FreeS/WAN (Linux), and other IPsec implementations based on the KAME code. The software fails to properly validate the authentication header data in certain situations. The vulnerability is due to an unsigned integer overflow that can be triggered with "very small" datagrams, causing the integrity check value (ICV) to be calculated on an incorrect (and large) range of memory. This may cause a kernel panic on some systems.

A remote user could send a specially crafted IPsec packet to the system to potentially cause the system to crash.

BindView RAZOR is credited with discovering and reporting this issue.

Many vendors are affected, including Apple, eSoft, GTA, Internet Initiative Japan, KAME, NEC, NetBSD. Some information is available regarding affected versions of some vendor products (however, this list is not complete):

For Apple Computer, Mac OS X 10.2 and Mac OS X Server 10.2 are affected.

For eSoft, eSoft InstaGate is reportedly affected.

For GTA, firewall products running GNAT Box system software version 3.3.1 and prior are affected.

For Internet Initiative Japan (IIJ), SEIL/neu routers running firmware versions prior to 1.63 are affected.

For KAME, code from the tree prior to August 21, 2002 is affected.

For NEC, the IX 1000/2000 Series (IX1010, IX1011, IX1020, IX1050, Bluefire IX1035 and IX2010) is affected.

Impact:   A remote user could cause the system to crash.
Solution:   At the time of this entry, the following information about fixed versions was available. Check the Message History for future updates as individual vendors release their advisories.

Apple:

The bug has reportedly been fixed in Mac OS X 10.2.1 and Mac OS X Server 10.2.1.

Software updates are available from the "Software Update" pane in System Preferences or from the Apple Software Downloads site:

Mac OS X Update 10.2.1
http://docs.info.apple.com/article.html?artnum=120147

Mac OS X Server Update 10.2.1
http://docs.info.apple.com/article.html?artnum=120149


eSoft:

eSoft InstaGate is reportedly affected, but only if the remote user knows both the IP address of a tunnel endpoint and the SPI value for that tunnel. A patch is reportedly available through eSoft's SoftPak Director.


GTA:

For GNAT Box system software version 3.3.0, a system software update version 3.3.1 is available from GTA's Online Support Center:

http://www.gta.com/support/center/

For GNAT Box system software version 3.2.x, a system software update version 3.2.6 is available from GTA's Online Support Center:

http://www.gta.com/support/center/

For GNAT Box system software version 3.1.x or prior versions, no update is available. The vendor recommends upgrading to 3.3.1 or adding Remote Access filters to restrict access to designated remote VPN gateways.


Internet Initiative Japan (IIJ) SEIL/neu routers:

You can upgrade to firmware version 1.63 or later, available at:

http://www.seil-neu.com/


KAME:

It is reported that the KAME software tree was fixed on 2002/08/21.


NEC:

The IX 5000 Series is reportedly not vulnerable. The IX 1000 / 2000 Series (IX1010, IX1011, IX1020, IX1050, Bluefire IX1035 and IX2010) is affected. The vendor plans to release a fix in early November 2002.


NetBSD:

A security advisory is pending:

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002-016.txt.asc

Vendor URL:  www.kb.cert.org/vuls/id/459371 (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (FreeBSD), UNIX (NetBSD), UNIX (macOS/OS X)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix for FreeS/WAN) Several IPSec Implementations Can Be Crashed By Remote Users Sending Specially Crafted Packets
Debian has released a fix for FreeS/WAN.



 Source Message Contents

Subject:  IPSec vulnerabilities


http://www.kb.cert.org/vuls/id/459371

CVE Number: CAN-2002-0666

CERT reported that several IPsec implementations fail to properly validate authentication
data.  A denial of service situation may occur as a result.

CERT credited BindView RAZOR for discovering and reporting this issue. 

A vulnerability reportedly exists in KAME (FreeBSD, NetBSD), FreeS/WAN (Linux), and other
IPsec implementations.  The vulnerability is due to an unsigned integer overflow that can
be triggered with "very small" datagrams, causing the integrity check value (ICV) to be
calculated on an incorrect (and large) range of memory.  This may cause a kernel panic on
some systems.

A remote user could send a specially crafted IPsec packet to the system to potentially
cause the system to crash.

Many vendors may be affected.  At the time of this entry, the following information was
available regarding specific vendor releases.


-----------------------

Apple:

Mac OS X 10.2, and Mac OS X Server 10.2 are affected.  The bug has reportedly been fixed
in Mac OS X 10.2.1 and Mac OS X Server 10.2.1.

Software updates are available from the "Software Update" pane in System Preferences or
from the Apple Software Downloads site:

Mac OS X Update 10.2.1
http://docs.info.apple.com/article.html?artnum=120147

Mac OS X Server Update 10.2.1
http://docs.info.apple.com/article.html?artnum=120149


eSoft:

eSoft InstaGate is reportedly affected, but only if the remote user knows both the IP
address of a tunnel endpoint and the SPI value for that tunnel. A patch is reportedly
available through eSoft's SoftPak Director.


GTA:

GTA firewall products running GNAT Box system software version 3.3.1 and prior are
affected.  GTA has reportedly released system software updates to correct this
vulnerability.


For GNAT Box system software version 3.3.0, a system software update version 3.3.1 is
available from GTA's Online Support Center: 

http://www.gta.com/support/center/

For GNAT Box system software version 3.2.x, a system software update version 3.2.6 is
available from GTA's Online Support Center: 

http://www.gta.com/support/center/

For GNAT Box system software version 3.1.x or prior versions, no update is available.  The
vendor recommends upgrading to 3.3.1 or adding Remote Access filters to restrict access to
designated remote VPN gateways.


Internet Initiative Japan (IIJ) SEIL/neu routers:

Firmware versions prior to 1.63 are affected.  You can upgrade to firmware version 1.63 or
later, available at:

http://www.seil-neu.com/


KAME:

It is reported that the KAME software tree was fixed on 2002/08/21.


NEC:

The IX 5000 Series is reportedly not vulnerable.

The IX 1000 / 2000 Series (IX1010, IX1011, IX1020, IX1050, Bluefire IX1035 and IX2010) is
affected.  The vendor plans to release a fix in early November 2002.


NetBSD:

A security advisory is pending:

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002-016.txt.asc


-----------------------



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC