On Tue, Dec 13, 2005 at 09:49:40PM +0100, Paul Wouters wrote: > On Mon, 12 Dec 2005, Thierry Carrez wrote: > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > >Gentoo Linux Security Advisory GLSA 200512-04 > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > http://security.gentoo.org/ > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > Severity: Normal > > Title: Openswan, IPsec-Tools: Vulnerabilities in ISAKMP Protocol > > implementation > > Date: December 12, 2005 > > Bugs: #112568, #113201 > > ID: 200512-04 > > >Openswan and IPsec-Tools suffer from an implementation flaw which may > >allow a Denial of Service attack. > > That is correct (for openswan) It is also correct for ipsec-tools, but require a very weak configuration. > >Impact > >====== > > > >A remote attacker can create a specially crafted packet using 3DES with > >an invalid key length, resulting in a Denial of Service attack, format > >string vulnerabilities or buffer overflows. > > That's a copy and paste from the IPsec proto testsuite. > > 1) It conflicts with the above comment that this is only a DOS > 2) It's incorrect (for openswan) Also incorrect for ipsec-tools AFAIK. The only problem we noticed with protos testsuite was a lack of verification for some payloads existency in aggressive mode. > >Workaround > >========== > > > >Avoid using "aggressive mode" in ISAKMP Phase 1, which exchanges > >information between the sides before there is a secure channel. > > In fact, you would to both have aggressive mode enabled AND know the PSK. > If you have those two enabled, you are vulnerable to a MITM anyway, since > any client knowing the PSK can pretend to be the IPsec security gateway. Knowing the PSK is not really needed, as AGGRESSIVE+PSK mode is known to be quite unsecure, and can be bruteforced offline. The "workaround" for ipsec-tools is to upgrade, and is only needed for some people which really have a week configuration and should care about lots of potential problems ! Yvan, ipsec-tools team. -- NETASQ - Secure Internet Connectivity http://www.netasq.com
Attachment:
smime.p7s
Description: S/MIME cryptographic signature