|
|
Info |
Last Modified |
| 7 months ago |
|
|
|
|
Description |
Implementations of IPSec derived from KAME contain a flaw that may allow a malicious user to spoof IPv4 packets through a security gateway and have them appear authenticated. The issue is triggered when the security gateway is configured to require encapsulating service payload (ESP). The gateway fails to check its security policy database. It is possible that the flaw may allow spoofed or non-encapsulated packets through, resulting in a loss of confidentiality and/or integrity.
|
|
Classification |
Location:
Local Access Required,
Remote/Network Access Required
Attack Type:
Misconfiguration
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
|
|
Technical |
Affected IPSec implementations fail to perform inbound policy checks against the security policy database on packets which are forwarded in violation of RFC2401, sections 4.4.1 and 5.2.1 (steps 3 and 4). The erroneous code, found in src/sys/netinet/ip_input.c from the call to ip_forward(), would allow an attacker to inject packets that should be disallowed by a properly implemented security policy, but will not allow the attacker to receive packets improperly since the failed check is only inbound.
|
|
Solution |
Upgrade to an appropriate version of the software -- KAME 1.2088 (1.37 for NetBSD, 1.33 for FreeBSD-4, 1.33), NetBSD -current (1.145) and 1.5-stable (1.114.4.8), or FreeBSD -current (1.192) and -stable (1.130.2.35), or higher, as this has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patches and recompiling.
|
|
Products |
|
FreeBSD
 |
4.3-RELEASE |
4.4-RELEASE |
4.5-RELEASE |
4.2-RELEASE |
|
NetBSD
|
1.5 |
1.5.1 |
1.5.2 |
|
KAME
|
1.2087 |
|
|
|
|
Credit |
- Greg Troxel - gdt
 ir.bbn.com -
- Bill Chiarchiaro - wjcwork.cleartech.com -
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
