Bug 173219 - net-firewall/ipsec-tools DoS (CVE-2007-1841)
Bug#: 173219 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL: 
Summary: net-firewall/ipsec-tools DoS (CVE-2007-1841)
Keywords:  
Status Whiteboard: B3 [glsa] jaervosz
Opened: 2007-04-03 05:37 0000
Description:   Opened: 2007-04-03 05:37 0000 
The ISAKMP RFC makes it clear that informational exchanges with a  
delete payload should be encrypted.  This attack consists of sending  
an informational exchange message during the beginning of phase 1  
before the point where packets are encrypted.  If the message,  
directed at one of the 2 peers, contains the source address of the  
other peer, the correct cookie(s), a bogus hash payload, and a delete  
payload indicating that the ISAKMP SAs have been deleted, the packet  
will get through and terminate the exchange.

In the file isakmp_inf.c the function isakmp_info_recv() checks if  
the message is encrypted, and if so, decrypts it and verifies that  
the hash is present and correct.  If the message is not encrypted,  
which is allowed for some informational exchanges, then that part is  
skipped.  It then checks the state of the phase 1 negotiation and  
discards the message if its past the point where messages should be  
encrypted.  Since the attack is sent before that point, the message  
is passed.  It then calls isakmp_info_recv_d() which does not check  
that the message was encrypted.  It only checks that a hash payload  
is present, but does not check its validity, so the hash payload can  
contain anything.  The delete payload is then processed, terminating  
the attempt to establish ISAKMP SAs.

The fix is simply to check that the message was encrypted before  
calling isakmp_info_recv_d().

------- Comment #1 From Sune Kloppenborg Jeppesen 2007-04-03 14:55:39 0000 ------- 
Created an attachment (id=115370) [details]
patch-racoon-isakmp_inf.c-recv

------- Comment #2 From Raphael Marichez 2007-04-10 12:50:53 0000 ------- 
This goes public now.

Hi Letexer, any news on this one? thanks

------- Comment #3 From Raphael Marichez 2007-04-10 12:52:34 0000 ------- 
*** Bug 174026 has been marked as a duplicate of this bug. ***

------- Comment #4 From Sune Kloppenborg Jeppesen 2007-04-18 05:30:59 0000 ------- 
-dev mailed for assistance.

------- Comment #5 From Daniel Black 2007-04-21 07:43:21 0000 ------- 
i'll add a update soon.

------- Comment #6 From Daniel Black 2007-04-21 12:33:08 0000 ------- 
ebuild added. awaiting review from users in bug #152971 before going stable.

------- Comment #7 From Bill Merriam 2007-04-29 16:39:02 0000 ------- 
The 0.6.7 ebuild has a DEPEND  kerberos? ( app-crypt/mit-krb5 ).  This doesn't
work with Heimdal.  I believe it should read something like kerberos? (
virtual/krb5 )

------- Comment #8 From Sune Kloppenborg Jeppesen 2007-04-30 08:25:25 0000 ------- 
Daniel please comment.

------- Comment #9 From Daniel Black 2007-04-30 09:15:51 0000 ------- 
(In reply to comment #7)
> This doesn't
> work with Heimdal.
So it works with heimdal? - I got bug #176541 but I'm going to assume it
compiles under other conditions.
> I believe it should read something like kerberos? (
> virtual/krb5 )
Changed as requested.

------- Comment #10 From Sune Kloppenborg Jeppesen 2007-04-30 12:37:06 0000 ------- 
*** Bug 176558 has been marked as a duplicate of this bug. ***

------- Comment #11 From Sune Kloppenborg Jeppesen 2007-04-30 12:39:18 0000 ------- 
Thx Daniel.

Arches please test and mark stable. Target keywords are:

ipsec-tools-0.6.7.ebuild:KEYWORDS=""amd64 ppc sparc x86"

------- Comment #12 From Steve Dibb 2007-04-30 13:42:35 0000 ------- 
amd64 stable

------- Comment #13 From Markus Meier 2007-05-01 10:06:39 0000 ------- 
net-firewall/ipsec-tools-0.6.7  USE="hybrid idea ipv6 kerberos ldap nat pam rc5
readline (-selinux)"
1. emerges on x86
2. passes collision test

Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0,
2.6.20.10 i686)
=================================================================
System uname: 2.6.20.10 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Tue, 01 May 2007 09:00:09 +0000
dev-java/java-config: 1.3.7, 2.0.31-r5
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.15-r1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/php/apache1-php5/ext-active/
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox
sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli
cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam
ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6
isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3
mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd
python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp
spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype
truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264
x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard
mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU"
VIDEO_CARDS="i810 fbdev vesa"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

------- Comment #14 From Markus Meier 2007-05-01 10:14:55 0000 ------- 
(In reply to comment #13)
> net-firewall/ipsec-tools-0.6.7  USE="hybrid idea ipv6 kerberos ldap nat pam rc5
> readline (-selinux)"
> 1. emerges on x86
> 2. passes collision test

3. passes test suite, sorry for the bugspam...

------- Comment #15 From Raúl Porcel 2007-05-01 11:28:23 0000 ------- 
x86 stable, thanks Markus.

------- Comment #16 From Gustavo Zacarias (RETIRED) 2007-05-02 13:42:28 0000 ------- 
sparc stable.

------- Comment #17 From Tobias Scherbaum 2007-05-03 18:39:55 0000 ------- 
ppc stable, ready for GLSA voting.

------- Comment #18 From Pierre-Yves Rofes 2007-05-03 18:44:20 0000 ------- 
/vote YES.

------- Comment #19 From Sune Kloppenborg Jeppesen 2007-05-03 18:53:29 0000 ------- 
Voting YES, let's have a GLSA.

------- Comment #20 From Raphael Marichez 2007-05-08 20:05:37 0000 ------- 
that was GLSA 200705-09, thanks everybody