From owner-freebsd-security@FreeBSD.ORG  Thu Mar 23 09:03:34 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: FreeBSD-security@freebsd.org
Delivered-To: FreeBSD-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 73FF016A424
	for <FreeBSD-security@freebsd.org>;
	Thu, 23 Mar 2006 09:03:34 +0000 (UTC)
	(envelope-from dmitry@atlantis.dp.ua)
Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0DDB143D46
	for <FreeBSD-security@freebsd.org>;
	Thu, 23 Mar 2006 09:03:27 +0000 (GMT)
	(envelope-from dmitry@atlantis.dp.ua)
Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231])
	by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k2N93AlW002079
	for <FreeBSD-security@freebsd.org>;
	Thu, 23 Mar 2006 11:03:10 +0200 (EET)
	(envelope-from dmitry@atlantis.dp.ua)
Date: Thu, 23 Mar 2006 11:03:10 +0200 (EET)
From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>
To: FreeBSD-security@freebsd.org
In-Reply-To: <200603221611.k2MGBNaj010025@freefall.freebsd.org>
Message-ID: <20060323110015.R99976@atlantis.atlantis.dp.ua>
References: <200603221611.k2MGBNaj010025@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: 
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2006 09:03:34 -0000


Hello!

On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote:
> II.  Problem Description
>
> IPsec provides an anti-replay service which when enabled prevents an attacker
> from successfully executing a replay attack.  This is done through the
> verification of sequence numbers.  A programming error in the fast_ipsec(4)
> implementation results in the sequence number associated with a Security
> Association not being updated, allowing packets to unconditionally pass
> sequence number verification checks.
>
> III. Impact
>
> An attacker able to to intercept IPSec packets can replay them.  If higher
> level protocols which do not provide any protection against packet replays
> (e.g., UDP) are used, this may have a variety of effects.

  As far as I understood, only systems which use "options FAST_IPSEC" are 
affected by this issue. Is it true? If so, wouldn't be wise to stress this
fact in the advisory?


Sincerely, Dmitry
-- 
Atlantis ISP, System Administrator
e-mail:  dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE