IPsec short packet integer overflow
| ipsec-packet-integer-overflow (10411) |  Low Risk |
Description:
Multiple vendor implementations of IPsec are vulnerable to a denial of service attack, caused by an unsigned integer overflow. IPsec fails to properly handle very short IPsec packets. A remote attacker could send a specially-crafted IPsec packet to cause the system to crash, and possibly cause a kernel panic on some systems.
Platforms Affected:
- Apple, Mac OS X 10.2
- Apple, Mac OS X Server 10.2
- Debian, Debian Linux 3.0
- eSoft, InstaGate
- FreeBSD, FreeBSD 4.0
- FreeBSD, FreeBSD 4.1
- FreeBSD, FreeBSD 4.1.1
- FreeBSD, FreeBSD 4.2
- FreeBSD, FreeBSD 4.3
- FreeBSD, FreeBSD 4.4
- FreeBSD, FreeBSD 4.5
- FreeBSD, FreeBSD 4.6
- FreeBSD, FreeBSD 4.6.1
- FreeBSD, FreeBSD 4.6.2
- Global Technology Associates, GNAT Box prior to 3.3.1
- Internet Initiative Japan, SEIL/neu routers firmware < 1.63
- Linux FreeS/WAN, FreeS/WAN
- NEC, IX1000
- NEC, IX2000
- NetBSD, NetBSD 1.5
- NetBSD, NetBSD 1.5.1
- NetBSD, NetBSD 1.5.2
- NetBSD, NetBSD 1.5.3
- NetBSD, NetBSD 1.6 beta
- Thinking Arts, ES.One 2.2 Beta
- WindRiver, BSDOS 4.2
- WindRiver, BSDOS 4.3
- WindRiver, BSDOS 4.3.1
- WindRiver, BSDOS 5.0
Remedy:
Refer to CERT Vulnerability Note VU#59371 for vendor-specific upgrade or patch information. See References.
For Debian GNU/Linux:
Upgrade to the latest freeswan package, as listed below. Refer to DSA-201-1 for more information. See References.
Debian GNU/Linux 3.0 (woody): 1.96-1.4 or later
For other distributions:
Contact your vendor for upgrade or patch information.
Consequences:
Denial of Service
References:
- BindView RAZOR Security Advisory, October 18, 2002, Denial of Service in IPSEC implementations at http://razor.bindview.com/publish/advisories/adv_ipsec.html.
- FreeBSD Web site, CVS log for src/sys/netinet6/esp_input.c at http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/esp_input.c#rev1.1.2.7.
- NetBSD Security Advisory NetBSD-SA2002-016, Insufficient length check in ESP authentication data at http://archives.neohapsis.com/archives/netbsd/2002-q4/0085.html. (From Neohapsis archive.)
- BID-6011: Multiple Vendor IPSec Implementation Denial of Service Vulnerabilities
- CVE-2002-0666: IPSEC implementations including (1) FreeS/WAN and (2) KAME do not properly calculate the length of authentication data, which allows remote attackers to cause a denial of service (kernel panic) via spoofed, short Encapsulating Security Payload (ESP) packets, which result in integer signedness errors.
- DSA-201: freeswan -- denial of service
- US-CERT VU#459371: Multiple IPsec implementations do not adequately validate authentication data
Reported:
Oct 17, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net