Published:
04 March 2001
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.099 -- OpenBSD Security Advisory
Buffer overrun in IPSEC AH handling
5 March 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IPSEC
Vendor: OpenBSD
Impact: Denial of Service
Root Compromise
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
- ----------------------------------------------------------------------------
OpenBSD Security Advisory
March 2, 2001
Buffer overrun in IPSEC AH handling
- ----------------------------------------------------------------------------
SYNOPSIS
Due to insufficient checks in the IPSEC Authentication Header IPv4 option
handling a buffer overrun is possible if an AH packet is sent with a
truncated IPv4 option. This can lead to a remote DoS and possibly
root privileges.
For a system to be vulnerable, an administrator must have enabled the
net.inet.ah.enable sysctl(8) value.
A fix for this problem was committed on February 20, 2001.
- ----------------------------------------------------------------------------
AFFECTED SYSTEMS
This vulnerability affects OpenBSD versions through 2.8.
- ----------------------------------------------------------------------------
RESOLUTION
OpenBSD does not ship with IPSEC AH handling enabled by default. If you are
using it, please disable it by entering the command:
# sysctl -w net.inet.ah.enable=0
Then, apply the fix below to your OpenBSD 2.8 source tree. The patch is also
available at http://www.openbsd.org/errata.html (023).
- ----------------------------------------------------------------------------
CREDITS
This vulnerability was first reported and fixed by Jun-ichiro itojun Hagino
(itojun@openbsd.org). This patch has also been applied to the stable branch.
- ----------------------------------------------------------------------------
REFERENCES
Security and errata,
http://www.openbsd.org/security.html
http://www.openbsd.org/errata.html
- ----------------------------------------------------------------------------
OPENBSD 2.8 PATCH
Apply by doing
cd /usr/src
patch -p0 <023_ip_ah.patch
And then rebuild your kernel.
Index: sys/netinet/ip_ah.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ah.c,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
- --- sys/netinet/ip_ah.c 2000/11/17 04:15:42 1.45
+++ sys/netinet/ip_ah.c 2001/02/20 06:48:06 1.46
@@ -253,6 +253,17 @@
/* IPv4 option processing */
for (off = sizeof(struct ip); off < skip;)
{
+ if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
+ off + 1 < skip)
+ ;
+ else
+ {
+ DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d
", ptr[off]));
+ ahstat.ahs_hdrops++;
+ m_freem(m);
+ return EINVAL;
+ }
+
switch (ptr[off])
{
case IPOPT_EOL:
@@ -268,10 +279,10 @@
case 0x86: /* Commercial security */
case 0x94: /* Router alert */
case 0x95: /* RFC1770 */
- - /* Sanity check for zero-length options */
- - if (ptr[off + 1] == 0)
+ /* Sanity check for option length */
+ if (ptr[off + 1] < 2)
{
- - DPRINTF(("ah_massage_headers(): illegal zero-length IPv4 option %d
", ptr[off]));
+ DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d
", ptr[off]));
ahstat.ahs_hdrops++;
m_freem(m);
return EINVAL;
@@ -282,6 +293,15 @@
case IPOPT_LSRR:
case IPOPT_SSRR:
+ /* Sanity check for option length */
+ if (ptr[off + 1] < 2)
+ {
+ DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d
", ptr[off]));
+ ahstat.ahs_hdrops++;
+ m_freem(m);
+ return EINVAL;
+ }
+
/*
* On output, if we have either of the source routing
* options, we should swap the destination address of
@@ -296,10 +316,10 @@
/* Fall through */
default:
- - /* Sanity check for zero-length options */
- - if (ptr[off + 1] == 0)
+ /* Sanity check for option length */
+ if (ptr[off + 1] < 2)
{
- - DPRINTF(("ah_massage_headers(): illegal zero-length IPv4 option %d
", ptr[off]));
+ DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d
", ptr[off]));
ahstat.ahs_hdrops++;
m_freem(m);
return EINVAL;
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOqO/Bih9+71yA2DNAQEXVwP+LscYcbeb++WnSqAyDTlarByL1KAxunrE
Jzy+6kX8UUhvehUn93TlXMCny1LaWynzruY4HlUGX9i1A6ou8/4mpf4fXo0Ira6G
m1gg91YwzrbCi8LRxD68vP4PH8fNqem0VJYy4xWiE/q5iCtENf5p1h0peqmp5S07
fUP7OrU6Ba4=
=TVeM
-----END PGP SIGNATURE-----