From owner-freebsd-security Mon Oct 21 18:19:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC0FD37B401 for ; Mon, 21 Oct 2002 18:19:50 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 203D143E75 for ; Mon, 21 Oct 2002 18:19:50 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g9M1JfTt036822 for ; Mon, 21 Oct 2002 21:19:41 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021021211946.05c98cf8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Mon, 21 Oct 2002 21:21:08 -0400 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: [Full-Disclosure] NetBSD Security Advisory 2002-016: Insufficient length check in ESP authentication data Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) X-Spam-Status: No, hits=-3.8 required=5.0 tests=FWD_MSG,MAILTO_WITH_SUBJ,PGP_SIGNATURE,QUOTED_EMAIL_TEXT, SPAM_PHRASE_02_03 version=2.41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It would appear the CERT url below mentions FreeBSD as well being vulerable. ---Mike >To: full-disclosure@lists.netsys.com >From: NetBSD Security Officer >Organisation: The NetBSD Foundation, Inc. >Reply-To: NetBSD Security Officer >Subject: [Full-Disclosure] NetBSD Security Advisory 2002-016: Insufficient >length check in ESP authentication data >Sender: full-disclosure-admin@lists.netsys.com >X-BeenThere: full-disclosure@lists.netsys.com >X-Mailman-Version: 2.0.12 >List-Unsubscribe: , > >List-Id: Discussion of security issues >List-Post: >List-Help: >List-Subscribe: , > >List-Archive: >Date: Tue, 22 Oct 2002 09:39:32 +0900 >X-Spam-Status: No, hits=-7.9 required=5.0 >tests=COPYRIGHT_CLAIMED,PGP_SIGNATURE version=2.11 >X-Virus-Scanned: By Sentex Communications (avscan1/20020517) > >-----BEGIN PGP SIGNED MESSAGE----- > > > NetBSD Security Advisory 2002-016 > ================================= > >Topic: Insufficient length check in ESP authentication data > >Version: NetBSD-current: source prior to August 23, 2002 > NetBSD-1.6 beta: source prior to August 23, 2002 > NetBSD-1.5.3: affected > NetBSD-1.5.2: affected > NetBSD-1.5.1: affected > NetBSD-1.5: affected > NetBSD-1.4.*: not affected (no IPsec shipped with it) > >Severity: remote denial of service (kernel panic by malicious packet) > >Fixed: NetBSD-current: August 23, 2002 > NetBSD-1.6 branch: August 23, 2002 (1.6 includes the > fix) > NetBSD-1.5 branch: September 5, 2002 > >Abstract >======== > >The KAME-based IPsec implementation included in NetBSD was missing >some packet length checks, and could be tricked into passing negative >value as buffer length. By transmiting a specially-formed (very >short) ESP packet, a malicious sender can cause a cause kernel panic >on the victim node. > >For the attack to be effective the attacker has to have knowledge of >the ESP settings being used by the victim node (wiretapping traffic >would achieve this). Also victim node has to be configured with >certain ESP security-association (SA). > >The publication of this advisory is delayed to coordinate with third parties. > > >Technical Details >================= > >http://www.kb.cert.org/vuls/id/459371 > >Your system is not vulnerable if: > - you do not enable IPsec ESP in the kernel (options IPSEC_ESP), or > - you do not have IPsec ESP SA with ESP authentication data setting > active on your system. However, if you have IPSEC_ESP enabled, we > suggest upgrading your kernel to bring in the fix, even if you are > not presently using IPSec. > > >Solutions and Workarounds >========================= > >The recent NetBSD 1.6 release is not vulnerable to this issue. A full >upgrade to NetBSD 1.6 is the recommended resolution for all users able >to do so. Many security-related improvements have been made, and >indeed this release has been delayed several times in order to include >fixes for a number of recent issues. > >If you are using ESP with authentication, you must upgrade to avoid >the vulnerability, as described below for your version of NetBSD: > >* NetBSD-current: > > Systems running NetBSD-current dated from before 2002-08-23 > should be upgraded to NetBSD-current dated 2002-08-23 or later. > > The kernel code needs to be updated from the netbsd-1-6 CVS branch. > > To update from CVS: > # cd src > # cvs update -d -P sys > > See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > on how you rebuild the kernel. > > >* NetBSD 1.6 betas: > > Systems running NetBSD 1.6 BETAs and Release Candidates should > be upgraded to the NetBSD 1.6 release. > > If a source-based point upgrade is required, sources from the > NetBSD 1.6 branch dated 2002-08-23 or later should be used. > > The kernel code needs to be updated from the netbsd-1-6 CVS branch. > > To update from CVS: > # cd src > # cvs update -d -P -r netbsd-1-6 sys > > See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > for instructions on how you rebuild the kernel. > > >* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: > > Systems running NetBSD 1.5 branch dated from before 2002-09-05 > should be upgraded to NetBSD 1.5 tree dated 2002-09-05 or later. > > The kernel code needs to be updated from the netbsd-1-5 CVS branch. > > To update from CVS: > # cd src > # cvs update -d -P -r netbsd-1-5 sys > > See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > for instructions on how you rebuild the kernel. > > >Thanks To >========= > >Todd Sabin and BindView for analysis and report. > >The NetBSD Release Engineering teams, for great patience and >assistance in dealing with repeated security issues discovered >recently. > > >Revision History >================ > > 2002-10-22 Initial release > > >More Information >================ > >An up-to-date PGP signed copy of this release will be maintained at > >ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-016.txt.asc > >Information about NetBSD and NetBSD security can be found at >http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. > > >Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. > >$NetBSD: NetBSD-SA2002-016.txt,v 1.16 2002/10/22 00:27:56 itojun Exp $ > > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.3ia >Charset: noconv > >iQCVAwUBPbSbdD5Ru2/4N2IFAQGFwAQAlHyFjYgN3FMHu+V9SGRZVgVpUWgVYDHJ >UWBKb/wNECmFHQ+pXNFmXfnV7Ly7OZCsiUiKVRHgkWqNH9r75WyAwmK7nEoPXAn8 >w1fe7dVqpiuKL/uyDe3T/oWKGIbbGk7iU624TeJrB99aj6el2rB/jOdzu4LVIgRm >5rQdRYKniWM= >=cNIB >-----END PGP SIGNATURE----- >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message