The ISAKMP RFC makes it clear that informational exchanges with a delete payload should be encrypted. This attack consists of sending an informational exchange message during the beginning of phase 1 before the point where packets are encrypted. If the message, directed at one of the 2 peers, contains the source address of the other peer, the correct cookie(s), a bogus hash payload, and a delete payload indicating that the ISAKMP SAs have been deleted, the packet will get through and terminate the exchange. In the file isakmp_inf.c the function isakmp_info_recv() checks if the message is encrypted, and if so, decrypts it and verifies that the hash is present and correct. If the message is not encrypted, which is allowed for some informational exchanges, then that part is skipped. It then checks the state of the phase 1 negotiation and discards the message if its past the point where messages should be encrypted. Since the attack is sent before that point, the message is passed. It then calls isakmp_info_recv_d() which does not check that the message was encrypted. It only checks that a hash payload is present, but does not check its validity, so the hash payload can contain anything. The delete payload is then processed, terminating the attempt to establish ISAKMP SAs. The fix is simply to check that the message was encrypted before calling isakmp_info_recv_d().
Created attachment 115370 [details, diff] patch-racoon-isakmp_inf.c-recv
This goes public now. Hi Letexer, any news on this one? thanks
*** Bug 174026 has been marked as a duplicate of this bug. ***
-dev mailed for assistance.
i'll add a update soon.
ebuild added. awaiting review from users in bug #152971 before going stable.
The 0.6.7 ebuild has a DEPEND kerberos? ( app-crypt/mit-krb5 ). This doesn't work with Heimdal. I believe it should read something like kerberos? ( virtual/krb5 )
Daniel please comment.
(In reply to comment #7) > This doesn't > work with Heimdal. So it works with heimdal? - I got bug #176541 but I'm going to assume it compiles under other conditions. > I believe it should read something like kerberos? ( > virtual/krb5 ) Changed as requested.
*** Bug 176558 has been marked as a duplicate of this bug. ***
Thx Daniel. Arches please test and mark stable. Target keywords are: ipsec-tools-0.6.7.ebuild:KEYWORDS=""amd64 ppc sparc x86"
amd64 stable
net-firewall/ipsec-tools-0.6.7 USE="hybrid idea ipv6 kerberos ldap nat pam rc5 readline (-selinux)" 1. emerges on x86 2. passes collision test Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20.10 i686) ================================================================= System uname: 2.6.20.10 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System release 1.12.9 Timestamp of tree: Tue, 01 May 2007 09:00:09 +0000 dev-java/java-config: 1.3.7, 2.0.31-r5 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.15-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
(In reply to comment #13) > net-firewall/ipsec-tools-0.6.7 USE="hybrid idea ipv6 kerberos ldap nat pam rc5 > readline (-selinux)" > 1. emerges on x86 > 2. passes collision test 3. passes test suite, sorry for the bugspam...
x86 stable, thanks Markus.
sparc stable.
ppc stable, ready for GLSA voting.
/vote YES.
Voting YES, let's have a GLSA.
that was GLSA 200705-09, thanks everybody
