From owner-freebsd-security@FreeBSD.ORG Tue Apr 6 22:18:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FE6C16A4CE for ; Tue, 6 Apr 2004 22:18:03 -0700 (PDT) Received: from mail.spenneberg.net (p15097491.pureserver.info [217.160.128.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 520A443D4C for ; Tue, 6 Apr 2004 22:18:02 -0700 (PDT) (envelope-from ralf@spenneberg.net) Received: from proxy.integrata.net (iD4CC17BB.versanet.de [212.204.23.187]) by mail.spenneberg.net (Postfix) with ESMTP id C60B88C26C; Wed, 7 Apr 2004 07:15:03 +0200 (CEST) From: Ralf Spenneberg To: security@freebsd.org, security@netbsd.org, security@apple.com Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-hLigAB+aOuKdFsHCocjH" Message-Id: <1081314902.1942.11.camel@kermit> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.3 (1.4.3-3) Date: 07 Apr 2004 07:15:03 +0200 X-Mailman-Approved-At: Wed, 07 Apr 2004 02:09:08 -0700 X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Possible security hole in racoon verified on FreeBSD using racoon-20030711 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 05:18:03 -0000 --=-hLigAB+aOuKdFsHCocjH Content-Type: multipart/mixed; boundary="=-1hAf2v3ari2YoMTtDRtW" --=-1hAf2v3ari2YoMTtDRtW Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Hi, while testing racoon on Linux (based on the ported ipsec-tools) the following issue appeared: Racoon did not verify the RSA Signatures during Phase 1 in either main or aggressive mode. Authentication was possible using a correct certificate and a wrong private key. I have verified the below problem using racoon-20030711 on FreeBSD 4.9. I w= ill test it using the SNAP Kit but suspect it to be vulnerable, too. Probably other implementations like racoon and MacOSX are vulnerable, too. On Linux the issue was resolved with the attached patch. Could you look into this? I would like to publish a Bugtraq report after the weekend, provided that y= ou have confirmed that either your racoon is not vulnerable or you have patches available. Regards, Ralf --=20 Ralf Spenneberg UNIX/Linux Trainer and Consultant, RHCE, RHCX Waldring 34 48565 Steinfurt Germany Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757 Mobil: +49(0)177 567 27 40 =20 Markt+Technik Buch: Intrusion Detection f=FCr Linux Ser= ver Addison-Wesley Buch: VPN mit Linux IPsec-Howto: http://www.ipsec-howto.org IPsec/PPTP Kernels for Red Hat Linux: http://www.spenneberg.com/.net/.org= /.de Honeynet Project Mirror: http://honeynet.spenneberg.org Snort Mirror: http://snort.spenneberg.org --=-1hAf2v3ari2YoMTtDRtW-- --=-hLigAB+aOuKdFsHCocjH Content-Type: application/pgp-signature; name=signature.asc Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQBAc45WbQ9NVvVkhHcRAjThAJ9/D2k3XUe48SKr0QAZShGJCd2PGACfb+hV MF6xvytj+70zB9wP+u7g4Y4= =4L7e -----END PGP SIGNATURE----- --=-hLigAB+aOuKdFsHCocjH--