173219 2007-04-03 05:37 0000 net-firewall/ipsec-tools DoS (CVE-2007-1841) 2007-05-08 20:05:37 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B3 [glsa] jaervosz P2 minor --- 1 jaervosz@gentoo.org security@gentoo.org bill@merriam.net cyrius@linog-consulting.com dragonheart@gentoo.org latexer@gentoo.org py@gentoo.org jaervosz@gentoo.org 2007-04-03 05:37:41 0000 The ISAKMP RFC makes it clear that informational exchanges with a delete payload should be encrypted. This attack consists of sending an informational exchange message during the beginning of phase 1 before the point where packets are encrypted. If the message, directed at one of the 2 peers, contains the source address of the other peer, the correct cookie(s), a bogus hash payload, and a delete payload indicating that the ISAKMP SAs have been deleted, the packet will get through and terminate the exchange. In the file isakmp_inf.c the function isakmp_info_recv() checks if the message is encrypted, and if so, decrypts it and verifies that the hash is present and correct. If the message is not encrypted, which is allowed for some informational exchanges, then that part is skipped. It then checks the state of the phase 1 negotiation and discards the message if its past the point where messages should be encrypted. Since the attack is sent before that point, the message is passed. It then calls isakmp_info_recv_d() which does not check that the message was encrypted. It only checks that a hash payload is present, but does not check its validity, so the hash payload can contain anything. The delete payload is then processed, terminating the attempt to establish ISAKMP SAs. The fix is simply to check that the message was encrypted before calling isakmp_info_recv_d(). jaervosz@gentoo.org 2007-04-03 14:55:39 0000 Created an attachment (id=115370) patch-racoon-isakmp_inf.c-recv falco@gentoo.org 2007-04-10 12:50:53 0000 This goes public now. Hi Letexer, any news on this one? thanks falco@gentoo.org 2007-04-10 12:52:34 0000 *** Bug 174026 has been marked as a duplicate of this bug. *** jaervosz@gentoo.org 2007-04-18 05:30:59 0000 -dev mailed for assistance. dragonheart@gentoo.org 2007-04-21 07:43:21 0000 i'll add a update soon. dragonheart@gentoo.org 2007-04-21 12:33:08 0000 ebuild added. awaiting review from users in bug #152971 before going stable. bill@merriam.net 2007-04-29 16:39:02 0000 The 0.6.7 ebuild has a DEPEND kerberos? ( app-crypt/mit-krb5 ). This doesn't work with Heimdal. I believe it should read something like kerberos? ( virtual/krb5 ) jaervosz@gentoo.org 2007-04-30 08:25:25 0000 Daniel please comment. dragonheart@gentoo.org 2007-04-30 09:15:51 0000 (In reply to comment #7) > This doesn't > work with Heimdal. So it works with heimdal? - I got bug #176541 but I'm going to assume it compiles under other conditions. > I believe it should read something like kerberos? ( > virtual/krb5 ) Changed as requested. jaervosz@gentoo.org 2007-04-30 12:37:06 0000 *** Bug 176558 has been marked as a duplicate of this bug. *** jaervosz@gentoo.org 2007-04-30 12:39:18 0000 Thx Daniel. Arches please test and mark stable. Target keywords are: ipsec-tools-0.6.7.ebuild:KEYWORDS=""amd64 ppc sparc x86" beandog@gentoo.org 2007-04-30 13:42:35 0000 amd64 stable maekke@gentoo.org 2007-05-01 10:06:39 0000 net-firewall/ipsec-tools-0.6.7 USE="hybrid idea ipv6 kerberos ldap nat pam rc5 readline (-selinux)" 1. emerges on x86 2. passes collision test Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20.10 i686) ================================================================= System uname: 2.6.20.10 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System release 1.12.9 Timestamp of tree: Tue, 01 May 2007 09:00:09 +0000 dev-java/java-config: 1.3.7, 2.0.31-r5 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.15-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY maekke@gentoo.org 2007-05-01 10:14:55 0000 (In reply to comment #13) > net-firewall/ipsec-tools-0.6.7 USE="hybrid idea ipv6 kerberos ldap nat pam rc5 > readline (-selinux)" > 1. emerges on x86 > 2. passes collision test 3. passes test suite, sorry for the bugspam... armin76@gentoo.org 2007-05-01 11:28:23 0000 x86 stable, thanks Markus. gustavoz@gentoo.org 2007-05-02 13:42:28 0000 sparc stable. dertobi123@gentoo.org 2007-05-03 18:39:55 0000 ppc stable, ready for GLSA voting. py@gentoo.org 2007-05-03 18:44:20 0000 /vote YES. jaervosz@gentoo.org 2007-05-03 18:53:29 0000 Voting YES, let's have a GLSA. falco@gentoo.org 2007-05-08 20:05:37 0000 that was GLSA 200705-09, thanks everybody 115370 2007-04-03 14:55 0000 patch-racoon-isakmp_inf.c-recv patch-racoon-isakmp_inf.c-recv text/plain SW5kZXg6IHNyYy9yYWNvb24vaXNha21wX2luZi5jCj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KUkNTIGZpbGU6IC9jdnNy b290L2lwc2VjLXRvb2xzL2lwc2VjLXRvb2xzL3NyYy9yYWNvb24vaXNha21wX2luZi5jLHYKcmV0 cmlldmluZyByZXZpc2lvbiAxLjE0LjQuOQpkaWZmIC11IC1wIC1yMS4xNC40LjkgaXNha21wX2lu Zi5jCi0tLSBzcmMvcmFjb29uL2lzYWttcF9pbmYuYwkyIEF1ZyAyMDA1IDE1OjA5OjI2IC0wMDAw CTEuMTQuNC45CisrKyBzcmMvcmFjb29uL2lzYWttcF9pbmYuYwkyIEFwciAyMDA3IDEyOjUyOjA3 IC0wMDAwCkBAIC0yNjcsMTIgKzI2NywxMiBAQCBpc2FrbXBfaW5mb19yZWN2KGlwaDEsIG1zZzAp CiAKIAlzd2l0Y2ggKG5wKSB7CiAJY2FzZSBJU0FLTVBfTlBUWVBFX046Ci0JCWlmIChpc2FrbXBf aW5mb19yZWN2X24oaXBoMSwgbXNnKSA8IDApCi0JCQlnb3RvIGVuZDsKKwkJaWYgKCBlbmNyeXB0 ZWQgKQorCQkJaXNha21wX2luZm9fcmVjdl9uKGlwaDEsIG1zZyk7CiAJCWJyZWFrOwogCWNhc2Ug SVNBS01QX05QVFlQRV9EOgotCQlpZiAoaXNha21wX2luZm9fcmVjdl9kKGlwaDEsIG1zZykgPCAw KQotCQkJZ290byBlbmQ7CisJCWlmICggZW5jcnlwdGVkICkKKwkJCWlzYWttcF9pbmZvX3JlY3Zf ZChpcGgxLCBtc2cpOwogCQlicmVhazsKIAljYXNlIElTQUtNUF9OUFRZUEVfTk9OQ0U6CiAJCS8q IFhYWCB0byBiZSA2LjQuMiBpa2UtMDEudHh0ICovCg==