KAME forged packet forwarding

kame-forged-packet-forwarding (8416) The risk level is classified as LowLow Risk


The KAME implementation in some BSD distributions does not perform inbound policy checks on forwarded packets, which could allow a remote attacker to pass unauthorized traffic out of the network. If a peer gateway is using Encapsulating Security Payload (ESP) and the Security Gateway (SG) is not using ESP, the attacker can send forged packets to any host using the SG.


Bypass Security


Apply the appropriate patch for your system included in BugTraq Mailing List posting dated Mar 4 2002 10:30AM. See References.


  • BugTraq Mailing List, Mon Mar 04 2002 - 10:30:18 CST: BSD: IPv4 forwarding doesn't consult inbound SPD in KAME-derived IPsec.
  • KAME Project Web site: CVS log for kame/CHANGELOG. (Under the Mon Feb 25 2:00:06 2002 entry, vendor states "enforce ipsec policy checking on forwarding case" and credits the BugTraq poster.)
  • BID-4224: Kame-Derived Stack Non-ESP IPV4 Forwarded Packets Policy Bypassing Vulnerability
  • CVE-2002-0414: KAME-derived implementations of IPsec on NetBSD 1.5.2, FreeBSD 4.5, and other operating systems, does not properly consult the Security Policy Database (SPD), which could cause a Security Gateway (SG) that does not use Encapsulating Security Payload (ESP) to forward forged IPv4 packets.
  • OSVDB ID: 5304: KAME-derived IPsec Forged IPv4 Packet Forwarding

Platforms Affected:

  • FreeBSD FreeBSD 4.5
  • NetBSD NetBSD 1.5.2


Mar 04, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page