First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 53915
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: gen2daniel <gen2daniel@gmx.net>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 53915 depends on: Show dependency tree
Bug 53915 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-06-14 12:59 0000 
"Summary

  There is a severe bug in racoon's authentication via digital
  signatures with certificates.

Description

  racoon verifies the peer's certificate using eay_check_x509cert().
  For some strange reason eay_check_x509cert() sets a verify callback:

    X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert);

  Verify callbacks are usually used for debugging purpose. Take a look
  at what racoon uses the verify callback for: 

    static int
    cb_check_cert(ok, ctx)
            int ok;
            X509_STORE_CTX *ctx;
    {
            char buf[256];
            int log_tag;

            if (!ok) {
                    [..]
                    switch (ctx->error) {
                    case X509_V_ERR_CERT_HAS_EXPIRED:
                    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
    #if OPENSSL_VERSION_NUMBER >= 0x00905100L
                    case X509_V_ERR_INVALID_CA:
                    case X509_V_ERR_PATH_LENGTH_EXCEEDED:
                    case X509_V_ERR_INVALID_PURPOSE:
    #endif
                            ok = 1;
                            log_tag = LLV_WARNING;
                            break;
                    default:
                            log_tag = LLV_ERROR;
                    }
                    [..]
            }
            ERR_clear_error();

            return ok;
    }

  If OpenSSL fails on verifying the certificate, because it is expired,
  self-signed, signed by an inappropriate CA, not allowed for that
  purpose or the certificate chain is too long, racoon does not care
  about that and declares the verification successful. I dare to say
  that is brain dead.

Affected Systems

  All version of racoon known to me are vulnerable.

Impact

  IMO besides remote privilege escalation that is the worst case
  scenario for an IKE daemon.

Solution?

  There are no bug fixes, yet. I recommend not using racoon at all.

Thomas Walpuski"


Reproducible: Didn't try
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From fbusse@gmx.de 2004-06-15 10:17:35 0000 ------- 
ipsec-tools 0.3.3 has been released, including a fix for this problem.
http://sourceforge.net/project/shownotes.php?release_id=245982

------- Comment #2 From Thierry Carrez (RETIRED) 2004-06-15 13:18:03 0000 ------- 
plasmaroo: you are the maintainer for this, can you bump it ?

------- Comment #3 From Tim Yamin (RETIRED) 2004-06-15 14:33:43 0000 ------- 
Done; in CVS and stable on x86. "~sparc" left as such since no "sparc"'s exist.
"amd64" changed to "~amd64"; and this needs to be stablized to "amd64" so can
the AMD64 team please do so? Thanks...

------- Comment #4 From Sune Kloppenborg Jeppesen 2004-06-16 05:57:55 0000 ------- 
GLSA drafted: security please review.

amd64 please mark stable.

Remember to remove old unneeded versions from portage.

------- Comment #5 From Danny van Dyk (RETIRED) 2004-06-21 12:57:42 0000 ------- 
Sorry for the delay. Stable on amd64 at last!

------- Comment #6 From Thierry Carrez (RETIRED) 2004-06-22 10:26:42 0000 ------- 
GLSA 200406-17
First Last Prev Next    No search results available      Search page      Enter new bug