SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   IPsec-Tools Vendors:   ipsec-tools.sourceforge.net
(NetBSD Issues Fix) IPsec-Tools Racoon Phase 1 Handle Cleanup Flaw May Let Remote Users Deny Service
SecurityTracker Alert ID:  1020872
SecurityTracker URL:  http://securitytracker.com/id/1020872
CVE Reference:   CVE-2008-3652   (Links to External Site)
Date:  Sep 15 2008
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in IPsec-Tools. A remote user can cause denial of service conditions.

The software does not remove orphaned Phase 1 handles for remotely initiated negotiations. A remote user may be able to cause excessive resource consumption on the target system.

The vulnerability resides in 'src/racoon/handler.c'.

Krzysztof Piotr Oledzki reported this vulnerability.

Impact:   A remote user can cause excessive resource consumption on the target system.
Solution:   NetBSD has released a fix.

The NetBSD advisory is available at:

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-012.txt.asc

Vendor URL:  ipsec-tools.sourceforge.net/ (Links to External Site)
Cause:   Randomization error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  4.0

Message History:   This archive entry is a follow-up to the message listed below.
Aug 13 2008 IPsec-Tools Racoon Phase 1 Handle Cleanup Flaw May Let Remote Users Deny Service



 Source Message Contents

Subject:  NetBSD Security Advisory 2008-012: Denial of service issues in



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2008-012
		 =================================

Topic:		Denial of service issues in racoon(8)

Version:	NetBSD-current:		affected
		NetBSD 4.0:		affected
		NetBSD 3.1.*:		not affected
		NetBSD 3.1:		not affected
		NetBSD 3.0.*:		not affected
		NetBSD 3.0:		not affected

Severity:	Denial of service

Fixed:		NetBSD-current:		August 12, 2008
		NetBSD-4-0 branch:	August 18, 2008
			(4.0.1 will include the fix)
		NetBSD-4 branch:	August 18, 2008
			(4.1 will include the fix)
		pkgsrc:			ipsec-tools-0.7.1 corrects the issue


Abstract
========

Currently racoon(8) does not remove orphaned ph1s initiated by a remote side.
As a result of this a potential denial of service issue can occur.

This vulnerability has been assigned CVE-2008-3652.

Technical Details
=================

When racoon(8) receives an invalid packet from a peer, it keeps the ph1handle
and expects the peer to resend a valid packet.  If the peers invalid packet 
is the first exchange (typically an SA exchange with no valid proposal), 
the freshly created ph1handle will never be be removed, which is in fact 
a memory leak.

A legitimate peer with invalid configuration, or an attacker, which will
send SA exchanges with no valid proposal can create a Denial of
Service if it can generate enough ph1handles (racoon will slow down
every time it will search for a ph1handle, then may run out of
memory).


Solutions and Workarounds
=========================

Only kernels compiled with the following option are vulnerable to this issue:

	options IPSEC

As a temporary workaround recompile the kernel with the above option 
commented out.  The default NetBSD GENERIC kernels do not have this
option enabled.  In addition to this the system must be running the 
racoon(8) daemon which is not enabled by default.

An additional workaround can be to add filtering rules to ensure only 
legitimate peers can send IKE exchanges (port 500/udp).

The following instructions describe how to upgrade your ipsec-tools
binaries by updating your source tree and rebuilding and installing
a new version of ipsec-tools.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2008-08-12
	should be upgraded to NetBSD-current dated 2008-08-13 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		crypto/dist/ipsec-tools/src/racoon/isakmp.c

	To update from CVS, re-build, and re-install ipsec-tools:

		# cd src
		# cvs update crypto/dist/ipsec-tools/src/racoon/isakmp.c
		# cd usr.sbin/racoon
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 4.*:

	Systems running NetBSD 4.* sources dated from before
	2008-08-18 should be upgraded from NetBSD 4.* sources dated
	2008-08-19 or later.

	The following files/directories need to be updated from the
	netbsd-4 or netbsd-4-0 branches:
		crypto/dist/ipsec-tools

	To update from CVS, re-build, and re-install ipsec-tools:

		# cd src
		# cvs update -r <branch_name> -d -P crypto/dist/ipsec-tools
		# cd lib/libipsec
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install
		# cd ../../sbin/setkey
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install
		# cd ../../usr.sbin/racoon
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Revision History
================

	2008-09-15	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-012.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2008-012.txt,v 1.1 2008/09/14 16:00:24 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSM01az5Ru2/4N2IFAQJ7DAP/ZEUdji6OcZrDCmUygn/TsLkm6Tv4Q/KO
n3Fi4sLiBy/8x4cjpsUA4kB2+44SJ9NUoxKt69JUlwrOovIFbf8PAvdlvKRlkvrZ
Pc21cDYNUMYAmD+Eo9bAQn90pt8qfY4aO3CMDZ+zd6GrZKSvF7oczcu7yXsT79Cn
Do2HVYOYuvs=
=86Ym
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC