SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Security)  >   Racoon Vendors:   KAME Project
KAME Racoon May Validate Invalid Certificates
SecurityTracker Alert ID:  1010495
SecurityTracker URL:  http://securitytracker.com/id/1010495
CVE Reference:   CVE-2004-0607   (Links to External Site)
Updated:  Jul 30 2004
Original Entry Date:  Jun 15 2004
Impact:   Host/resource access via network


Description:   A vulnerability was reported in KAME Racoon. The software may validate invalid certificates in certain cases.

Thomas Walpuski reported that there is a flaw in the verification of digital certificates in the eay_check_x509cert() function. The function sets a verify callback that will result in a successful verification on certificates that have expired, are self-signed, signed by an invalid certificate authority, used for an invalid purpose, or have a certificate chain that is too long, the report said.

Impact:   Invalid certificates may be successfully validated.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.kame.net/racoon/ (Links to External Site)
Cause:   Authentication error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 30 2004 (Red Hat Issues Fix for RHEL) KAME Racoon May Validate Invalid Certificates
Red Hat has released a fix for Red Hat Enteprise Linux 3.
Sep 8 2004 (Apple Issues Fix) KAME Racoon May Validate Invalid Certificates
Apple has released a fix for Mac OS X.



 Source Message Contents

Subject:  [Full-Disclosure] authentication bug in KAME's racoon


Summary

  There is a severe bug in racoon's authentication via digital
  signatures with certificates.

Description

  racoon verifies the peer's certificate using eay_check_x509cert().
  For some strange reason eay_check_x509cert() sets a verify callback:

    X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert);

  Verify callbacks are usually used for debugging purpose. Take a look
  at what racoon uses the verify callback for: 

    static int
    cb_check_cert(ok, ctx)
            int ok;
            X509_STORE_CTX *ctx;
    {
            char buf[256];
            int log_tag;

            if (!ok) {
                    [..]
                    switch (ctx->error) {
                    case X509_V_ERR_CERT_HAS_EXPIRED:
                    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
    #if OPENSSL_VERSION_NUMBER >= 0x00905100L
                    case X509_V_ERR_INVALID_CA:
                    case X509_V_ERR_PATH_LENGTH_EXCEEDED:
                    case X509_V_ERR_INVALID_PURPOSE:
    #endif
                            ok = 1;
                            log_tag = LLV_WARNING;
                            break;
                    default:
                            log_tag = LLV_ERROR;
                    }
                    [..]
            }
            ERR_clear_error();

            return ok;
    }

  If OpenSSL fails on verifying the certificate, because it is expired,
  self-signed, signed by an inappropriate CA, not allowed for that
  purpose or the certificate chain is too long, racoon does not care
  about that and declares the verification successful. I dare to say
  that is brain dead.

Affected Systems

  All version of racoon known to me are vulnerable.

Impact

  IMO besides remote privilege escalation that is the worst case
  scenario for an IKE daemon.

Solution?

  There are no bug fixes, yet. I recommend not using racoon at all.

Thomas Walpuski

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC