Date: 24 Mar 2004 12:04:24 +0200
From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Subject: [UNIX] OpenBSD isakmpd Payload Handling DoS
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
OpenBSD isakmpd Payload Handling DoS
------------------------------------------------------------------------
SUMMARY
The ISAKMP packet processing functions in OpenBSD's isakmpd daemon contain
multiple payload handling flaws that allow a remote attacker to launch a
denial of service attack against the daemon.
Carefully crafted ISAKMP packets will cause the isakmpd daemon to attempt
out-of-bounds reads, exhaust available memory, or loop endlessly
(consuming 100% of the CPU).
DETAILS
Affected system(s):
* OpenBSD 3.4 and earlier
* OpenBSD-current as of March 17, 2004
Detailed analysis:
To test the security and robustness of IPSEC implementations from multiple
vendors, the security research team at Rapid7 has designed the Striker
ISAKMP Protocol Test Suite. Striker is an ISAKMP packet generation tool
that automatically produces and sends invalid and/or atypical ISAKMP
packets.
This advisory is the first in a series of vulnerability disclosures
discovered with the Striker test suite.
OpenBSD's isakmpd daemon performs insufficient validation on payload
lengths and payload field lengths before attempting to read the fields.
This result in out-of-bounds reads in several cases.
Denial of service by 0-length ISAKMP payload
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0218>;
CAN-2004-0218
An ISAKMP packet with a malformed payload having a self-reported payload
length of zero will cause isakmpd to enter an infinite loop, parsing the
same payload over and over again.
This issue is similar to <CAN-2003-0989> CAN-2003-0989, which affected
TCPDUMP.
Denial of service by various malformed ISAKMP IPSEC SA payload
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0219>;
CAN-2004-0219
An ISAKMP packet with a malformed IPSEC SA payload will cause isakmpd to
read out of bounds and crash.
Denial of service by malformed ISAKMP Cert Request payload
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0220>;
CAN-2004-0220
An ISAKMP packet with a malformed Cert Request payload will cause an
integer underflow, resulting in a failed malloc of a huge amount of
memory.
Denial of service by malformed ISAKMP Delete payload
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0221>;
CAN-2004-0221
An ISAKMP packet with a malformed delete payload having a large number of
SPIs will cause isakmpd to read out of bounds and crash.
Denial of service by various memory leaks
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0222>;
CAN-2004-0222
Various memory leaks in packet processing can be triggered by a remote
attacker until all available memory is exhausted, resulting in eventual
termination of the daemon.
Vendor status and information:
OpenBSD has been notified of the issues and they have provided source code
patches to fix the problems for -current, 3.4-stable, and 3.3-stable. See
<http://www.openbsd.org/errata.html>; http://www.openbsd.org/errata.html
for more information.
The isakmpd daemon in the upcoming OpenBSD 3.5 release will be
privilege-separated, which greatly lessens the risk of any future
vulnerabilities that may be found.
Solution:
Update and rebuild the isakmpd daemon:
cd /usr/src/sbin/isakmpd
cvs update -dP
make clean && make obj && make && sudo make install
You can also apply the appropriate patches from
<http://www.openbsd.org/errata.html>; http://www.openbsd.org/errata.html
instead of using CVS.
ADDITIONAL INFORMATION
The information has been provided by Rapid7, Inc. Security Advisory.
The original article can be found at:
<http://www.rapid7.com/advisories/R7-0018.html>;
http://www.rapid7.com/advisories/R7-0018.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
