SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   isakmpd Vendors:   OpenBSD
(Original Advisory is Available) isakmpd Payload Handling Flaw Lets Remote Users Crash the Daemon
SecurityTracker Alert ID:  1009544
SecurityTracker URL:  http://securitytracker.com/id/1009544
CVE Reference:   CVE-2004-0218, CVE-2004-0219, CVE-2004-0220, CVE-2004-0221, CVE-2004-0222   (Links to External Site)
Date:  Mar 24 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Some vulnerabilities were reported in the ISAKMP daemon (isakmpd) in the processing of payloads. A remote user can cause the daemon to crash.

It is reported that there are flaws in the payload validation and processing functions. A remote user can send specially crafted ISAKMP messages to cause isakmpd to crash or to loop endlessly, the report said. Some memory leaks were also reported.

The 'doi.h', 'util.h', 'ipsec.c', 'isakmp_doi.c', and 'message.c' files are affected.

Rapid7 released an advisory describing the vulnerabilities in greater detail. The vulnerabilities were detected based on testing with the Rapid7 Striker ISAKMP Protocol Test Suite.

A remote user can send a packet with a user-defined length of 0 to cause the target daemon to enter an infinite loop attempting to parse the same payload repeatedly [CVE: CVE-2004-0218].

A remote user can reportedly send a specially crafted IPSec security association (SA) packet to cause the daemon to crash [CVE: CVE-2004-0219].

A remote user can send a specially crafted ISAKMP Cert Request payload to trigger an integer underflow and a resulting memory allocation failure [CVE: CVE-2004-0220].

It is also reported that a remote user can send a specially crafted ISAKMP Delete payload that contains a large number of security protocol identifiers (SPIs) to cause the target daemon to crash [CVE: CVE-2004-0221].

Finaly, a remote user can exploit some memory leaks in the processing of isakmpd packets to cause the target daemon to consume all available memory and crash [CVE: CVE-2004-0222].

Impact:   A remote user can cause isakmpd to crash or enter an endless loop.
Solution:   OpenBSD has issued fixes for OpenBSD, available at:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/015_isakmpd2.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/020_isakmpd2.patch

Vendor URL:  www.openbsd.org/ (Links to External Site)
Cause:   Boundary error, Exception handling error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Affects OpenBSD 3.3 and 3.4

Message History:   This archive entry is a follow-up to the message listed below.
Mar 17 2004 isakmpd Payload Handling Flaw Lets Remote Users Crash the Daemon



 Source Message Contents

Subject:  R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid7, Inc. Security Advisory
       Visit http://www.rapid7.com/ to download NeXpose,
        the world's most advanced vulnerability scanner.
      Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0018
OpenBSD isakmpd payload handling denial-of-service vulnerabilities

   Published:  March 23, 2004
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0018.html

   CVE:    CAN-2004-0218, CAN-2004-0219, CAN-2004-0220, CAN-2004-0221,
           CAN-2004-0222

1. Affected system(s):

   KNOWN VULNERABLE:
    o OpenBSD 3.4 and earlier
    o OpenBSD-current as of March 17, 2004

2. Summary

   The ISAKMP packet processing functions in OpenBSD's isakmpd
   daemon contain multiple payload handling flaws that allow
   a remote attacker to launch a denial of service attack
   against the daemon.

   Carefully crafted ISAKMP packets will cause the isakmpd daemon
   to attempt out-of-bounds reads, exhaust available memory, or
   loop endlessly (consuming 100% of the CPU).

3. Vendor status and information

   OpenBSD
   http://www.openbsd.org

   OpenBSD has been notified of the issues and they have provided
   source code patches to fix the problems for -current, 3.4-stable,
   and 3.3-stable.  See http://www.openbsd.org/errata.html for
   more information.

   The isakmpd daemon in the upcoming OpenBSD 3.5 release will be
   privilege-separated, which greatly lessens the risk of any
   future vulnerabilities that may be found.

4. Solution

   Update and rebuild the isakmpd daemon:

      cd /usr/src/sbin/isakmpd
      cvs update -dP
      make clean && make obj && make && sudo make install

   You can also apply the appropriate patches from
   http://www.openbsd.org/errata.html instead of using CVS.

5. Detailed analysis

   To test the security and robustness of IPSEC implementations
   from multiple vendors, the security research team at Rapid7
   has designed the Striker ISAKMP Protocol Test Suite.  Striker
   is an ISAKMP packet generation tool that automatically produces
   and sends invalid and/or atypical ISAKMP packets.

   This advisory is the first in a series of vulnerability
   disclosures discovered with the Striker test suite.  Striker
   will be made available to qualified IPSEC vendors.  Please
   email advisory@rapid7.com for more information on obtaining
   Striker.

   OpenBSD's isakmpd daemon performs insufficient validation on
   payload lengths and payload field lengths before attempting to
   read the fields.  This results in out-of-bounds reads in several
   cases.

   Denial of service by 0-length ISAKMP payload
   CVE ID: CAN-2004-0218

      An ISAKMP packet with a malformed payload having a self-reported
      payload length of zero will cause isakmpd to enter an infinite
      loop, parsing the same payload over and over again.

      This issue is similar to CAN-2003-0989, which affected TCPDUMP.

   Denial of service by various malformed ISAKMP IPSEC SA payload
   CVE ID: CAN-2004-0219

      An ISAKMP packet with a malformed IPSEC SA payload will
      cause isakmpd to read out of bounds and crash.

   Denial of service by malformed ISAKMP Cert Request payload
   CVE ID: CAN-2004-0220

      An ISAKMP packet with a malformed Cert Request payload
      will cause an integer underflow, resulting in a failed
      malloc of a huge amount of memory.

   Denial of service by malformed ISAKMP Delete payload
   CVE ID: CAN-2004-0221

      An ISAKMP packet with a malformed delete payload having
      a large number of SPIs will cause isakmpd to read out of
      bounds and crash.

   Denial of service by various memory leaks
   CVE ID: CAN-2004-0222

      Various memory leaks in packet processing can be triggered
      by a remote attacker until all available memory is exhausted,
      resulting in eventual termination of the daemon.

6. Contact Information

   Rapid7 Security Advisories
   Email:  advisory@rapid7.com
   Web:    http://www.rapid7.com/
   Phone:  +1 (617) 603-0700

7. Disclaimer and Copyright

   Rapid7, LLC is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2004 Rapid7, LLC.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFAYKLaMiAxz4wsmx8RArx0AJwOnkTk/Ej5JRjezz+Ll2eiPmYpYACfQUyd
gYqp1RZ5ArQEZ9ZRpHlSal4=
=FIVu
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC