SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Racoon Vendors:   KAME Project
KAME Racoon RSA Signature IKE Phase 1 Authentication Flaw Authenticates Remote Users
SecurityTracker Alert ID:  1009694
SecurityTracker URL:  http://securitytracker.com/id/1009694
CVE Reference:   CVE-2004-0155   (Links to External Site)
Date:  Apr 7 2004
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): crypto_openssl.c file version 1.83 and prior versions
Description:   An authentication vulnerability was reported in KAME Racoon. A remote user with a valid certificate but invalid key can be authenticated in certain cases.

Ralf Spenneberg reported that a remote user with a valid RSA signature (but without the proper private key) can connect using IKE Phase 1 main mode or aggresive mode and be succesfully authenticated.

The flaw resides in 'crypto_openssl.c' in the eay_check_x509sign() function.

Impact:   A remote user can be authenticated without having the proper private RSA key.
Solution:   A fix is available via CVS at:

http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/crypto_openssl.c?rev=1.84&content-type=text/x-cvsweb-markup

Vendor URL:  www.kame.net/racoon/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 7 2004 (Gentoo Issues Fix) KAME Racoon RSA Signature IKE Phase 1 Authentication Flaw Authenticates Remote Users
Gentoo has released a fix for ipsec-tools.
Apr 9 2004 (Mandrake Issues Fix) KAME Racoon RSA Signature IKE Phase 1 Authentication Flaw Authenticates Remote Users
Mandrake has released a fix.
May 4 2004 (Apple Issues Fix for Mac OS X) KAME Racoon RSA Signature IKE Phase 1 Authentication Flaw Authenticates Remote Users
Apple has released a fix for Mac OS X.
May 12 2004 (Red Hat Issues Fix for RH Enterprise Linux) KAME Racoon RSA Signature IKE Phase 1 Authentication Flaw Authenticates Remote Users
Red Hat has released a fix for Red Hat Enterprise Linux 3.
Jun 23 2004 (Gentoo Issues Fix for IPsec-Tools) KAME Racoon RSA Signature IKE Phase 1 Authentication Flaw Authenticates Remote Users
Gentoo has released a fix for IPsec-Tools.



 Source Message Contents

Subject:  Possible security hole in racoon verified on FreeBSD using



--=-hLigAB+aOuKdFsHCocjH
Content-Type: multipart/mixed; boundary="=-1hAf2v3ari2YoMTtDRtW"


--=-1hAf2v3ari2YoMTtDRtW
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Hi,

while testing racoon on Linux (based on the ported ipsec-tools) the
following issue appeared:
Racoon did not verify the RSA Signatures during Phase 1 in either main
or aggressive mode.
Authentication was possible using a correct certificate and a wrong
private key.

I have verified the below problem using racoon-20030711 on FreeBSD 4.9. I w=
ill test
it using the SNAP Kit but suspect it to be vulnerable, too.

Probably other implementations like racoon and MacOSX are vulnerable, too.

On Linux the issue was resolved with the attached patch.

Could you look into this?

I would like to publish a Bugtraq report after the weekend, provided that y=
ou have confirmed
that either your racoon is not vulnerable or you have patches available.

Regards,

Ralf
--=20
Ralf Spenneberg
UNIX/Linux Trainer and Consultant, RHCE, RHCX
Waldring 34                             48565 Steinfurt         Germany
Fon: +49(0)2552 638 755                 Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40
=20
Markt+Technik Buch:                     Intrusion Detection f=FCr Linux Ser=
ver
Addison-Wesley Buch: 			VPN mit Linux
IPsec-Howto:                                http://www.ipsec-howto.org
IPsec/PPTP Kernels for Red Hat Linux:   http://www.spenneberg.com/.net/.org=
/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org

--=-1hAf2v3ari2YoMTtDRtW--

--=-hLigAB+aOuKdFsHCocjH
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQBAc45WbQ9NVvVkhHcRAjThAJ9/D2k3XUe48SKr0QAZShGJCd2PGACfb+hV
MF6xvytj+70zB9wP+u7g4Y4=
=4L7e
-----END PGP SIGNATURE-----

--=-hLigAB+aOuKdFsHCocjH--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC