SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   IPSec Vendors:   [Multiple Authors/Vendors]
IPSec ESP Lets Inline Users Modify Packets to Cause the Plaintext to Be Rerouted and Recovered
SecurityTracker Alert ID:  1013926
SecurityTracker URL:  http://securitytracker.com/id/1013926
CVE Reference:   CVE-2005-0039   (Links to External Site)
Date:  May 9 2005
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   A vulnerability was reported in some IPSec configurations. A remote user with the ability to modify the encrypted packets during transmission may be able to obtain the original plain text.

Systems that use IPsec Encapsulating Security Payload (ESP) in tunnel mode with only confidentiality are affected.

Some systems that use Authentication Header (AH) for integrity protection are also vulnerable.

A remote user can modify sections of an IPsec packet to cause the ciphertext portion to be decrypted by a legitimate gateway and then redirected to an alternate host by the destination's security gateway.

A remote user can also modify sections of an IPsec packet to cause a network host to issue an ICMP error message, which may contain portions of plaintext packet header and payload.

In particular, a remote user can flip certain bits to modify the portion of the encrypted packet that contains the destination IP address of the payload (i.e., the inner packet). Then, when the destination security gateway decrypts the packet, it will be routed to the modified IP address.

The IP Options field can also be modified in a similar fashion, which may result in the destination gateway generating an ICMP "parameter problem" message and including the affected plaintext packet within the ICMP message and sending the ICMP message to a modified address.

The Protocol field can also be modified in a similar fashion, resulting in an ICMP "protocol unreachable" message.

[Editor's note: A list of affected vendors and products was not available at the time of this original entry.]

The UK National Infrastructure Security Co-ordination Centre (NISCC) reported this vulnerability.

The original advisory is available at:

http://www.uniras.gov.uk/niscc/docs/al-20050509-00386.html?lang=en

Impact:   A remote user with the ability to modify the encrypted packets during transmission may be able to cause the original plain text to be rerouted to an alternate destination.
Solution:   No solution was available at the time of this entry.

As a workaround, NISCC reports that any of the following methods can be used:

1. Configure ESP to use both confidentiality and integrity protection. This is the recommended solution.

2. Use the AH protocol alongside ESP to provide integrity protection. However, this must be done carefully: for example, the configuration where AH in transport mode is applied end-to-end and tunnelled inside ESP is still vulnerable.

3. Remove the error reporting by restricting the generation of ICMP messages or by filtering these messages at a firewall or security gateway.

Cause:   Access control error, Configuration error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 11 2005 (HP Issues Fix for Tru64) IPSec ESP Lets Inline Users Modify Packets to Cause the Plaintext to Be Rerouted and Recovered
HP has issued a fix for HP Tru64 UNIX.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC