From security-officer@netbsd.org Mon Oct 21 21:33:59 2002 From: NetBSD Security Officer To: full-disclosure@lists.netsys.com Date: Tue, 22 Oct 2002 09:39:32 +0900 Subject: [Full-Disclosure] NetBSD Security Advisory 2002-016: Insufficient length check in ESP authentication data -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-016 ================================= Topic: Insufficient length check in ESP authentication data Version: NetBSD-current: source prior to August 23, 2002 NetBSD-1.6 beta: source prior to August 23, 2002 NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: not affected (no IPsec shipped with it) Severity: remote denial of service (kernel panic by malicious packet) Fixed: NetBSD-current: August 23, 2002 NetBSD-1.6 branch: August 23, 2002 (1.6 includes the fix) NetBSD-1.5 branch: September 5, 2002 Abstract ======== The KAME-based IPsec implementation included in NetBSD was missing some packet length checks, and could be tricked into passing negative value as buffer length. By transmiting a specially-formed (very short) ESP packet, a malicious sender can cause a cause kernel panic on the victim node. For the attack to be effective the attacker has to have knowledge of the ESP settings being used by the victim node (wiretapping traffic would achieve this). Also victim node has to be configured with certain ESP security-association (SA). The publication of this advisory is delayed to coordinate with third parties. Technical Details ================= http://www.kb.cert.org/vuls/id/459371 Your system is not vulnerable if: - you do not enable IPsec ESP in the kernel (options IPSEC_ESP), or - you do not have IPsec ESP SA with ESP authentication data setting active on your system. However, if you have IPSEC_ESP enabled, we suggest upgrading your kernel to bring in the fix, even if you are not presently using IPSec. Solutions and Workarounds ========================= The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. If you are using ESP with authentication, you must upgrade to avoid the vulnerability, as described below for your version of NetBSD: * NetBSD-current: Systems running NetBSD-current dated from before 2002-08-23 should be upgraded to NetBSD-current dated 2002-08-23 or later. The kernel code needs to be updated from the netbsd-1-6 CVS branch. To update from CVS: # cd src # cvs update -d -P sys See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel on how you rebuild the kernel. * NetBSD 1.6 betas: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-23 or later should be used. The kernel code needs to be updated from the netbsd-1-6 CVS branch. To update from CVS: # cd src # cvs update -d -P -r netbsd-1-6 sys See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel for instructions on how you rebuild the kernel. * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5 branch dated from before 2002-09-05 should be upgraded to NetBSD 1.5 tree dated 2002-09-05 or later. The kernel code needs to be updated from the netbsd-1-5 CVS branch. To update from CVS: # cd src # cvs update -d -P -r netbsd-1-5 sys See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel for instructions on how you rebuild the kernel. Thanks To ========= Todd Sabin and BindView for analysis and report. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-10-22 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-016.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-016.txt,v 1.16 2002/10/22 00:27:56 itojun Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPbSbdD5Ru2/4N2IFAQGFwAQAlHyFjYgN3FMHu+V9SGRZVgVpUWgVYDHJ UWBKb/wNECmFHQ+pXNFmXfnV7Ly7OZCsiUiKVRHgkWqNH9r75WyAwmK7nEoPXAn8 w1fe7dVqpiuKL/uyDe3T/oWKGIbbGk7iU624TeJrB99aj6el2rB/jOdzu4LVIgRm 5rQdRYKniWM= =cNIB -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html