Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 173219 - net-firewall/ipsec-tools DoS (CVE-2007-1841)
Summary: net-firewall/ipsec-tools DoS (CVE-2007-1841)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] jaervosz
: 174026 (view as bug list)
Depends on:
Reported: 2007-04-03 05:37 UTC by Sune Kloppenborg Jeppesen
Modified: 2007-05-08 20:05 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

patch-racoon-isakmp_inf.c-recv (patch-racoon-isakmp_inf.c-recv,772 bytes, patch)
2007-04-03 14:55 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-04-03 05:37:41 UTC
The ISAKMP RFC makes it clear that informational exchanges with a  
delete payload should be encrypted.  This attack consists of sending  
an informational exchange message during the beginning of phase 1  
before the point where packets are encrypted.  If the message,  
directed at one of the 2 peers, contains the source address of the  
other peer, the correct cookie(s), a bogus hash payload, and a delete  
payload indicating that the ISAKMP SAs have been deleted, the packet  
will get through and terminate the exchange.

In the file isakmp_inf.c the function isakmp_info_recv() checks if  
the message is encrypted, and if so, decrypts it and verifies that  
the hash is present and correct.  If the message is not encrypted,  
which is allowed for some informational exchanges, then that part is  
skipped.  It then checks the state of the phase 1 negotiation and  
discards the message if its past the point where messages should be  
encrypted.  Since the attack is sent before that point, the message  
is passed.  It then calls isakmp_info_recv_d() which does not check  
that the message was encrypted.  It only checks that a hash payload  
is present, but does not check its validity, so the hash payload can  
contain anything.  The delete payload is then processed, terminating  
the attempt to establish ISAKMP SAs.

The fix is simply to check that the message was encrypted before  
calling isakmp_info_recv_d().
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-03 14:55:39 UTC
Created attachment 115370 [details, diff]
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-10 12:50:53 UTC
This goes public now.

Hi Letexer, any news on this one? thanks
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-10 12:52:34 UTC
*** Bug 174026 has been marked as a duplicate of this bug. ***
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-18 05:30:59 UTC
-dev mailed for assistance.
Comment 5 Daniel Black (RETIRED) gentoo-dev 2007-04-21 07:43:21 UTC
i'll add a update soon.
Comment 6 Daniel Black (RETIRED) gentoo-dev 2007-04-21 12:33:08 UTC
ebuild added. awaiting review from users in bug #152971 before going stable.
Comment 7 Bill Merriam 2007-04-29 16:39:02 UTC
The 0.6.7 ebuild has a DEPEND  kerberos? ( app-crypt/mit-krb5 ).  This doesn't work with Heimdal.  I believe it should read something like kerberos? ( virtual/krb5 )
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-30 08:25:25 UTC
Daniel please comment.
Comment 9 Daniel Black (RETIRED) gentoo-dev 2007-04-30 09:15:51 UTC
(In reply to comment #7)
> This doesn't
> work with Heimdal.
So it works with heimdal? - I got bug #176541 but I'm going to assume it compiles under other conditions.
> I believe it should read something like kerberos? (
> virtual/krb5 )
Changed as requested.

Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-30 12:37:06 UTC
*** Bug 176558 has been marked as a duplicate of this bug. ***
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-30 12:39:18 UTC
Thx Daniel.

Arches please test and mark stable. Target keywords are:

ipsec-tools-0.6.7.ebuild:KEYWORDS=""amd64 ppc sparc x86"
Comment 12 Steve Dibb (RETIRED) gentoo-dev 2007-04-30 13:42:35 UTC
amd64 stable
Comment 13 Markus Meier gentoo-dev 2007-05-01 10:06:39 UTC
net-firewall/ipsec-tools-0.6.7  USE="hybrid idea ipv6 kerberos ldap nat pam rc5 readline (-selinux)"
1. emerges on x86
2. passes collision test

Portage (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, i686)
System uname: i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Tue, 01 May 2007 09:00:09 +0000
dev-java/java-config: 1.3.7, 2.0.31-r5
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.15-r1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
LINGUAS="en de en_GB de_CH"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Comment 14 Markus Meier gentoo-dev 2007-05-01 10:14:55 UTC
(In reply to comment #13)
> net-firewall/ipsec-tools-0.6.7  USE="hybrid idea ipv6 kerberos ldap nat pam rc5
> readline (-selinux)"
> 1. emerges on x86
> 2. passes collision test

3. passes test suite, sorry for the bugspam...
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2007-05-01 11:28:23 UTC
x86 stable, thanks Markus.
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-02 13:42:28 UTC
sparc stable.
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2007-05-03 18:39:55 UTC
ppc stable, ready for GLSA voting.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-03 18:44:20 UTC
/vote YES.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-03 18:53:29 UTC
Voting YES, let's have a GLSA.
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-08 20:05:37 UTC
that was GLSA 200705-09, thanks everybody