OpenBSD isakmpd contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the Internet Key Exchange (IKE) daemon does not apply payload encryption and the initiator itself also does not apply payload encryption during a Phase 2 exchange, also known as a Quick Mode exchange. This will disclose encryption keys resulting in a loss of confidentiality.

Upgrade to version 3.5 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: download message.c version 1.62 or higher from the OpenBSD CVS repository and rebuild isakmpd.

• Secunia Advisory ID: 10168
• ISS X-Force ID: 13625
• Related OSVDB ID: 2845 7258 7259
• Bugtraq ID: 8964
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-11/0007.html
• Vendor Specific Solution URL: http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/message.c.diff?r1=1.60&r2=1.61&f=h
  http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/message.c.diff?r1=1.61&r2=1.62&f=h

• Thomas Walpuski - thomasthinknerd.de -

NVD does not currently have a CVSSv2 score assigned.