 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: 24 Mar 2004 12:04:24 +0200 From: SecuriTeam <support@securiteam.com.> To: list@securiteam.com Subject: [UNIX] OpenBSD isakmpd Payload Handling DoS The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html - - - - - - - - - OpenBSD isakmpd Payload Handling DoS ------------------------------------------------------------------------ SUMMARY The ISAKMP packet processing functions in OpenBSD's isakmpd daemon contain multiple payload handling flaws that allow a remote attacker to launch a denial of service attack against the daemon. Carefully crafted ISAKMP packets will cause the isakmpd daemon to attempt out-of-bounds reads, exhaust available memory, or loop endlessly (consuming 100% of the CPU). DETAILS Affected system(s): * OpenBSD 3.4 and earlier * OpenBSD-current as of March 17, 2004 Detailed analysis: To test the security and robustness of IPSEC implementations from multiple vendors, the security research team at Rapid7 has designed the Striker ISAKMP Protocol Test Suite. Striker is an ISAKMP packet generation tool that automatically produces and sends invalid and/or atypical ISAKMP packets. This advisory is the first in a series of vulnerability disclosures discovered with the Striker test suite. OpenBSD's isakmpd daemon performs insufficient validation on payload lengths and payload field lengths before attempting to read the fields. This result in out-of-bounds reads in several cases. Denial of service by 0-length ISAKMP payload CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0218>; CAN-2004-0218 An ISAKMP packet with a malformed payload having a self-reported payload length of zero will cause isakmpd to enter an infinite loop, parsing the same payload over and over again. This issue is similar to <CAN-2003-0989> CAN-2003-0989, which affected TCPDUMP. Denial of service by various malformed ISAKMP IPSEC SA payload CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0219>; CAN-2004-0219 An ISAKMP packet with a malformed IPSEC SA payload will cause isakmpd to read out of bounds and crash. Denial of service by malformed ISAKMP Cert Request payload CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0220>; CAN-2004-0220 An ISAKMP packet with a malformed Cert Request payload will cause an integer underflow, resulting in a failed malloc of a huge amount of memory. Denial of service by malformed ISAKMP Delete payload CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0221>; CAN-2004-0221 An ISAKMP packet with a malformed delete payload having a large number of SPIs will cause isakmpd to read out of bounds and crash. Denial of service by various memory leaks CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0222>; CAN-2004-0222 Various memory leaks in packet processing can be triggered by a remote attacker until all available memory is exhausted, resulting in eventual termination of the daemon. Vendor status and information: OpenBSD has been notified of the issues and they have provided source code patches to fix the problems for -current, 3.4-stable, and 3.3-stable. See <http://www.openbsd.org/errata.html>; http://www.openbsd.org/errata.html for more information. The isakmpd daemon in the upcoming OpenBSD 3.5 release will be privilege-separated, which greatly lessens the risk of any future vulnerabilities that may be found. Solution: Update and rebuild the isakmpd daemon: cd /usr/src/sbin/isakmpd cvs update -dP make clean && make obj && make && sudo make install You can also apply the appropriate patches from <http://www.openbsd.org/errata.html>; http://www.openbsd.org/errata.html instead of using CVS. ADDITIONAL INFORMATION The information has been provided by Rapid7, Inc. Security Advisory. The original article can be found at: <http://www.rapid7.com/advisories/R7-0018.html>; http://www.rapid7.com/advisories/R7-0018.html
This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
| |||||||||||||||||||||
|
|