Date: Mon, 21 Oct 2002 21:21:08 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Fwd: [Full-Disclosure] NetBSD Security Advisory 2002-016: Insufficient length check in ESP authentication data Message-ID: <5.1.1.6.0.20021021211946.05c98cf8@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
It would appear the CERT url below mentions FreeBSD as well being vulerable.
---Mike
>To: full-disclosure@lists.netsys.com
>From: NetBSD Security Officer <security-officer@netbsd.org>
>Organisation: The NetBSD Foundation, Inc.
>Reply-To: NetBSD Security Officer <security-officer@netbsd.org>
>Subject: [Full-Disclosure] NetBSD Security Advisory 2002-016: Insufficient
>length check in ESP authentication data
>Sender: full-disclosure-admin@lists.netsys.com
>X-BeenThere: full-disclosure@lists.netsys.com
>X-Mailman-Version: 2.0.12
>List-Unsubscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,
> <mailto:full-disclosure-request@lists.netsys.com?subject=unsubscribe>
>List-Id: Discussion of security issues <full-disclosure.lists.netsys.com>
>List-Post: <mailto:full-disclosure@lists.netsys.com>
>List-Help: <mailto:full-disclosure-request@lists.netsys.com?subject=help>
>List-Subscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,
> <mailto:full-disclosure-request@lists.netsys.com?subject=subscribe>
>List-Archive: <http://lists.netsys.com/pipermail/full-disclosure/>;
>Date: Tue, 22 Oct 2002 09:39:32 +0900
>X-Spam-Status: No, hits=-7.9 required=5.0
>tests=COPYRIGHT_CLAIMED,PGP_SIGNATURE version=2.11
>X-Virus-Scanned: By Sentex Communications (avscan1/20020517)
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
> NetBSD Security Advisory 2002-016
> =================================
>
>Topic: Insufficient length check in ESP authentication data
>
>Version: NetBSD-current: source prior to August 23, 2002
> NetBSD-1.6 beta: source prior to August 23, 2002
> NetBSD-1.5.3: affected
> NetBSD-1.5.2: affected
> NetBSD-1.5.1: affected
> NetBSD-1.5: affected
> NetBSD-1.4.*: not affected (no IPsec shipped with it)
>
>Severity: remote denial of service (kernel panic by malicious packet)
>
>Fixed: NetBSD-current: August 23, 2002
> NetBSD-1.6 branch: August 23, 2002 (1.6 includes the
> fix)
> NetBSD-1.5 branch: September 5, 2002
>
>Abstract
>========
>
>The KAME-based IPsec implementation included in NetBSD was missing
>some packet length checks, and could be tricked into passing negative
>value as buffer length. By transmiting a specially-formed (very
>short) ESP packet, a malicious sender can cause a cause kernel panic
>on the victim node.
>
>For the attack to be effective the attacker has to have knowledge of
>the ESP settings being used by the victim node (wiretapping traffic
>would achieve this). Also victim node has to be configured with
>certain ESP security-association (SA).
>
>The publication of this advisory is delayed to coordinate with third parties.
>
>
>Technical Details
>=================
>
>http://www.kb.cert.org/vuls/id/459371
>
>Your system is not vulnerable if:
> - you do not enable IPsec ESP in the kernel (options IPSEC_ESP), or
> - you do not have IPsec ESP SA with ESP authentication data setting
> active on your system. However, if you have IPSEC_ESP enabled, we
> suggest upgrading your kernel to bring in the fix, even if you are
> not presently using IPSec.
>
>
>Solutions and Workarounds
>=========================
>
>The recent NetBSD 1.6 release is not vulnerable to this issue. A full
>upgrade to NetBSD 1.6 is the recommended resolution for all users able
>to do so. Many security-related improvements have been made, and
>indeed this release has been delayed several times in order to include
>fixes for a number of recent issues.
>
>If you are using ESP with authentication, you must upgrade to avoid
>the vulnerability, as described below for your version of NetBSD:
>
>* NetBSD-current:
>
> Systems running NetBSD-current dated from before 2002-08-23
> should be upgraded to NetBSD-current dated 2002-08-23 or later.
>
> The kernel code needs to be updated from the netbsd-1-6 CVS branch.
>
> To update from CVS:
> # cd src
> # cvs update -d -P sys
>
> See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
> on how you rebuild the kernel.
>
>
>* NetBSD 1.6 betas:
>
> Systems running NetBSD 1.6 BETAs and Release Candidates should
> be upgraded to the NetBSD 1.6 release.
>
> If a source-based point upgrade is required, sources from the
> NetBSD 1.6 branch dated 2002-08-23 or later should be used.
>
> The kernel code needs to be updated from the netbsd-1-6 CVS branch.
>
> To update from CVS:
> # cd src
> # cvs update -d -P -r netbsd-1-6 sys
>
> See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
> for instructions on how you rebuild the kernel.
>
>
>* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
>
> Systems running NetBSD 1.5 branch dated from before 2002-09-05
> should be upgraded to NetBSD 1.5 tree dated 2002-09-05 or later.
>
> The kernel code needs to be updated from the netbsd-1-5 CVS branch.
>
> To update from CVS:
> # cd src
> # cvs update -d -P -r netbsd-1-5 sys
>
> See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
> for instructions on how you rebuild the kernel.
>
>
>Thanks To
>=========
>
>Todd Sabin and BindView for analysis and report.
>
>The NetBSD Release Engineering teams, for great patience and
>assistance in dealing with repeated security issues discovered
>recently.
>
>
>Revision History
>================
>
> 2002-10-22 Initial release
>
>
>More Information
>================
>
>An up-to-date PGP signed copy of this release will be maintained at
>
>ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-016.txt.asc
>
>Information about NetBSD and NetBSD security can be found at
>http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
>
>
>Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
>
>$NetBSD: NetBSD-SA2002-016.txt,v 1.16 2002/10/22 00:27:56 itojun Exp $
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.3ia
>Charset: noconv
>
>iQCVAwUBPbSbdD5Ru2/4N2IFAQGFwAQAlHyFjYgN3FMHu+V9SGRZVgVpUWgVYDHJ
>UWBKb/wNECmFHQ+pXNFmXfnV7Ly7OZCsiUiKVRHgkWqNH9r75WyAwmK7nEoPXAn8
>w1fe7dVqpiuKL/uyDe3T/oWKGIbbGk7iU624TeJrB99aj6el2rB/jOdzu4LVIgRm
>5rQdRYKniWM=
>=cNIB
>-----END PGP SIGNATURE-----
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20021021211946.05c98cf8>