SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Racoon Vendors:   KAME Project
(NetBSD Issues Fix) KAME Racoon Hash Validation Flaw Lets Remote Users Delete Security Associations
SecurityTracker Alert ID:  1009146
SecurityTracker URL:  http://securitytracker.com/id/1009146
CVE Reference:   CVE-2004-0164   (Links to External Site)
Date:  Feb 20 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Some vulnerabilities were reported in the KAME Racoon daemon. A remote user can cause IPSec security associations (SAs) to be deleted.

In January 2004, it was reported that the software fails to validate hash values in certain cases. A remote user can send messages to cause established SAs to be deleted.

It is reported that a remote user can send a delete message that contains the initiator cookie for a main/aggressive/base mode transaction and includes an arbitrary hash value. If the IP source address is correct and the ISAKMP SA has not yet been setup, the target system will incorrectly honor the delete message.

It is also reported that a remote user can send an INITIAL-CONTACT notification to cause all IPSec SAs associated with the destination address to be deleted.

A demonstration exploit scenario is described in the Source Message.

Impact:   A remote user can cause SAs to be deleted.
Solution:   NetBSD has issued the following fixes:

For NetBSD-current:

Systems running NetBSD-current dated from before 2004-01-16 should be upgraded to NetBSD-current dated 2004-01-17 or later.

The following directories need to be updated from the netbsd-current CVS branch (aka HEAD):
crypto/dist/kame/racoon
usr.sbin/racoon

To update from CVS, re-build, and re-install racoon:
# cd src
# cvs update -d -P crypto/dist/kame/racoon usr.sbin/racoon
# cd usr.sbin/racoon

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install


For NetBSD 1.6, 1.6.1:

The binary distributions of NetBSD 1.6 and 1.6.1 are vulnerable.

* Binary patch:

To apply the binary patch, perform the following steps, replacing ARCH with the NetBSD architecture you are running (i.e. i386):

ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2004-001-racoon/netbsd-1-6/ARCH-racoon.tgz
cd / && tar xzvpf /path/to/ARCH-racoon.tgz

The tar file will extract a new copy of:
/usr/sbin/racoon

Then restart racoon:
/etc/rc.d/racoon restart


To update from sources:

Systems running NetBSD 1.6 sources dated from before 2004-02-09 should be upgraded from NetBSD 1.6 sources dated 2004-02-10 or later.

NetBSD 1.6.2 will include the fix.

The following directories need to be updated from the netbsd-1-6 CVS branch:
crypto/dist/kame/racoon
usr.sbin/racoon

To update from CVS, re-build, and re-install racoon:

# cd src
# cvs update -d -P -r netbsd-1-6 crypto/dist/kame/racoon \
usr.sbin/racoon
# cd usr.sbin/racoon

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

Vendor URL:  www.kame.net/racoon/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  1.6, 1.6.1

Message History:   This archive entry is a follow-up to the message listed below.
Feb 19 2004 KAME Racoon Hash Validation Flaw Lets Remote Users Delete Security Associations



 Source Message Contents

Subject:  NetBSD Security Advisory 2004-001: Insufficient packet validation in racoon IKE daemon



-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2004-001
		 =================================

Topic:		Insufficient packet validation in racoon IKE daemon

Version:	NetBSD-current:	source prior to January 17, 2004
		NetBSD 1.6.2:	not affected (fixed)
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD-1.5.*:	not affected (does not ship with racoon)
		pkgsrc:		packages prior to racoon-20040116a

Severity:	IPsec SA/ISAKMP SA may be deleted remotely by malicious
		third party

Fixed:		NetBSD-current:		January 17, 2004
		NetBSD-1.6 branch:	February 10, 2004 (1.6.2 includes the fix)
		pkgsrc:			racoon-20040116a corrects this issue


Abstract
========

NetBSD ships with the racoon(8) IKE (Internet Key Exchange) daemon.
A vulnerability was found in the code for packet validation of
"informational exchange" messages.

By sending specifically-crafted IKE packets, a malicious party could
remove an IPsec SA (those visible via setkey(8)) and/or ISAKMP SA
(secret communication channel used for communication between IKE
daemons) on the victim node.

Exploits for this issue have been circulated publicly.


Technical Details
=================

http://www.securityfocus.com/archive/1/349756


Solutions and Workarounds
=========================


If you are not using IPSec, your system is not affected.

If you are not running the racoon(8) IKE daemon, your system is not
affected.  However, we recomend you upgrade racoon so that you will
not experience problems if you enable it later.

If you are currently running racoon(8), you need to stop the old
instance of racoon(8) and run the new one.

The following instructions describe how to upgrade your racoon(8)
binaries by updating your source tree and rebuilding and
installing a new version of racoon(8).

* NetBSD-current:

	Systems running NetBSD-current dated from before 2004-01-16
	should be upgraded to NetBSD-current dated 2004-01-17 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		crypto/dist/kame/racoon
		usr.sbin/racoon

	To update from CVS, re-build, and re-install racoon:
		# cd src
		# cvs update -d -P crypto/dist/kame/racoon usr.sbin/racoon
		# cd usr.sbin/racoon

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.6, 1.6.1:

	The binary distributions of NetBSD 1.6 and 1.6.1 are vulnerable.

	* Binary patch:

	To apply the binary patch, perform the following steps,
	replacing ARCH with the NetBSD architecture you are running
	(i.e. i386):

        ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2004-001-racoon/netbsd-1-6/ARCH-racoon.tgz
        cd / && tar xzvpf /path/to/ARCH-racoon.tgz

        The tar file will extract a new copy of:
                /usr/sbin/racoon

        Then restart racoon:
	/etc/rc.d/racoon restart


        * Updating from sources:

	Systems running NetBSD 1.6 sources dated from before
	2004-02-09 should be upgraded from NetBSD 1.6 sources dated
	2004-02-10 or later.

	NetBSD 1.6.2 will include the fix.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		crypto/dist/kame/racoon
		usr.sbin/racoon

	To update from CVS, re-build, and re-install racoon:

		# cd src
		# cvs update -d -P -r netbsd-1-6 crypto/dist/kame/racoon \
			usr.sbin/racoon
		# cd usr.sbin/racoon

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* pkgsrc:

	If your system has racoon pkgsrc dated before 20040116a, uninstall
	and upgrade to racoon-20040116a or higher.


Thanks To
=========

Thomas Walpuski
IIJ SEIL team


Revision History
================

	2004-02-18	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-001.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2004-001.txt.asc,v 1.1 2004/02/18 14:13:24 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iQCVAwUBQDNz0z5Ru2/4N2IFAQF9+wP/X+UjRC5d7qqC7/PdiBrZplx/Jq1847xn
sEeRL8VEyOnFtfQ84oWS1GqLP1nvedm9jeRHQ3JlamVGKh2Vs2A2e8wxvKA+OVgx
vd6RgttpOxEATgn26FWCY++p8ZaOoDGdZQCboVlYDXq0lkhYG5eyZArgvNE2RpNB
Z4YQA5NiVls=
=Rzqk
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC