Date: Wed, 8 Oct 2003 13:57:36 -0400 (EDT) From: Joachim Schueth <dl2kcd@m-net.arbornet.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: dl2kcd@darc.de Subject: kern/57760: Psec policy on inbound trafic is not enforced (allows spoofing) Message-ID: <200310081757.h98HvaPp017917@m-net.arbornet.org> Resent-Message-ID: <200310081800.h98I0Nop075442@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 57760 >Category: kern >Synopsis: Psec policy on inbound trafic is not enforced (allows spoofing) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Oct 08 11:00:22 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Joachim Schueth <dl2kcd@darc.de> >Release: FreeBSD 4.8-RELEASE-p13 i386 >Organization: >Environment: System: FreeBSD 4.8-RELEASE-p13 i386 >Description: A host with an IPsec policy that requires ESP with authentication or AH on inbound traffic accepts plain IP packets that carry no authentication. This allows to bypass the IPsec authentication mechanism. >How-To-Repeat: The following example uses ESP with authentication, but the effect is the same with AH. Configure two hosts running FreeBSD 4.8-RELEASE-p13 with IP addresses of 192.168.0.26 and 192.168.0.42, respectively (called host26 and host42 below). On host42 (the target host), use the following setkey script: flush; spdflush; add 192.168.0.26 192.168.0.42 esp 0x026042 -E 3des-cbc "xxxxxxxxxxxxxxxxxxxxxxxx" -A hmac-sha1 "hhhhhhhhhhhhhhhhhhhh"; add 192.168.0.42 192.168.0.26 esp 0x042026 -E 3des-cbc "AAAAAAAAAAAAAAAAAAAAAAAA" -A hmac-sha1 "rrrrrrrrrrrrrrrrrrrr"; spdadd 192.168.0.0/24 192.168.0.0/24 any -P in ipsec esp/transport//require; spdadd 192.168.0.0/24 192.168.0.0/24 any -P out ipsec esp/transport//require; On host26 (the attacking host), use the same setkey script but omit the spadd lines. This means that host26 has the correct security associations to accept the ESP packets of host42, but host26 itself will not use ipsec on outgoing packets. Then establish a TCP connection between host26 and host42, e.g. by connecting host42 from host26 via ftp. The connection succeeds, and a network dump shows ESP from host42 to host26, but plain TCP packets in the other direction. These packets are accepted by host42 despite the -P in .../require policy which is essentially ignored. Thus, an attacker could inject spoofed packets into an ESP connection simply by omitting the IPsec elements. The same behaviour is observed when AH is used. Note that ICMP ping packets are apparently dropped as expected, but not TCP packets. >Fix: This has to be fixed in the kernel. As a workaround, ipfw may be used to limit non-IPsec traffic. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310081757.h98HvaPp017917>