From owner-freebsd-security@FreeBSD.ORG Thu Mar 23 11:29:51 2006 Return-Path: X-Original-To: FreeBSD-security@freebsd.org Delivered-To: FreeBSD-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C4CB16A422 for ; Thu, 23 Mar 2006 11:29:51 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F38043D5A for ; Thu, 23 Mar 2006 11:29:49 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 3F02B5197B; Thu, 23 Mar 2006 12:29:47 +0100 (CET) Received: from localhost (ana50.internetdsl.tpnet.pl [83.17.82.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 59BD050B83; Thu, 23 Mar 2006 12:29:37 +0100 (CET) Date: Thu, 23 Mar 2006 12:28:44 +0100 From: Pawel Jakub Dawidek To: Dmitry Pryanishnikov Message-ID: <20060323112844.GA18526@garage.freebsd.pl> References: <200603221611.k2MGBNaj010025@freefall.freebsd.org> <20060323110015.R99976@atlantis.atlantis.dp.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline In-Reply-To: <20060323110015.R99976@atlantis.atlantis.dp.ua> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r535 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: FreeBSD-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Mar 2006 11:29:51 -0000 --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 23, 2006 at 11:03:10AM +0200, Dmitry Pryanishnikov wrote: +>=20 +> Hello! +>=20 +> On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote: +> >II. Problem Description +> > +> >IPsec provides an anti-replay service which when enabled prevents an at= tacker +> >from successfully executing a replay attack. This is done through the +> >verification of sequence numbers. A programming error in the fast_ipse= c(4) +> >implementation results in the sequence number associated with a Security +> >Association not being updated, allowing packets to unconditionally pass +> >sequence number verification checks. +> > +> >III. Impact +> > +> >An attacker able to to intercept IPSec packets can replay them. If hig= her +> >level protocols which do not provide any protection against packet repl= ays +> >(e.g., UDP) are used, this may have a variety of effects. +>=20 +> As far as I understood, only systems which use "options FAST_IPSEC" are= affected by this issue. Is it true? If so, wouldn't be wise to stress this +> fact in the advisory? Yes, only FAST_IPSEC and only ESP (AH is ok). --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFEIoZsForvXbEpPzQRAvBxAKDpQPMudySihZ9Du92HZAXqPeMkQACgqZfD 2QtYckz/rnD4hiPxibDY80o= =eYK7 -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--