Multiple vendor IKE response handling buffer overflow

ike-response-bo (9850) The risk level is classified as HighHigh Risk

Description:

Network Associates PGP Freeware, NetScreen Technologies' NetScreen-Remote, and possibly other vendor Internet Key Exchange (IKE) implementations are vulnerable to several buffer overflows in the handling of IKE packets. By sending a malformed IKE response to an affected system, a remote attacker could overflow a buffer and cause the system to crash or possibly execute code on the system with the same privileges as the IKE service.

Platforms Affected:

  • FreeBSD, FreeBSD Ports Collection
  • Juniper, NetScreen Remote Security Client 8.0
  • Juniper, NetScreen Remote VPN Client 8.0
  • OpenBSD, OpenBSD 3.1
  • PGP, Freeware 7.0.3
  • SafeNet, SoftRemote prior to 9.0

Remedy:

Refer to CERT Vulnerability Note VU#287771 for vendor-specific upgrade or patch information. See References.

For FreeBSD Ports Collection:
Upgrade to the latest ports collection, as listed in FreeBSD Security Notice FreeBSD-SN-02:05. See References.

For OpenBSD 3.1:
Apply the patch for this vulnerability, as listed in OpenBSD 010: RELIABILITY FIX: July 5, 2002. See References.

For NetScreen-Remote 8.0 and earlier:
Upgrade to the latest version of NetScreen-Remote (8.1 or later) when it becomes available from the NetScreen Web site. See References.

Consequences:

Gain Access

References:

  • FreeBSD Security Notice FreeBSD-SN-02:05 , security issues in ports at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:05.asc.
  • NetScreen Web site, NetScreen | High performance firewall, VPN, and traffic shaping. ASIC-based internet security a at http://www.netscreen.com/main.html.
  • OpenBSD 3.1 errata, 010: RELIABILITY FIX: July 5, 2002 at http://www.openbsd.org/errata.html#isakmpd.
  • BID-5449: PGPFreeware Malformed IKE Response Packet Buffer Overflow Vulnerability
  • BID-5668: Netscreen-Remote VPN Client IKE Packet Excessive Payloads Vulnerability
  • CVE-2002-2222: isakmpd/message.c in isakmpd in FreeBSD before isakmpd-20020403_1, and in OpenBSD 3.1, allows remote attackers to cause a denial of service (crash) by sending Internet Key Exchange (IKE) payloads out of sequence.
  • CVE-2002-2223: Buffer overflow in NetScreen-Remote 8.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) large number of payloads, or (3) a long payload.
  • CVE-2002-2224: Buffer overflow in PGPFreeware 7.03 running on Windows NT 4.0 SP6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) large number of payloads, or (3) a long payload.
  • CVE-2002-2225: SafeNet VPN client allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly involving buffer overflows using (1) a large Security Parameter Index (SPI) field, (2) a large number of payloads, or (3) a long payload.
  • CVE-2003-1320: SonicWALL firmware before 6.4.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) a large number of payloads, or (3) a long payload.
  • US-CERT VU#287771: Multiple vendors` Internet Key Exchange (IKE) implementations do not properly handle IKE response packets

Reported:

Aug 12, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page