Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.589 -- NetBSD Security Advisory 2002-016 Insufficient length check in ESP authentication data 22 October 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IPSec Vendor: NetBSD Operating System: NetBSD-current: source prior to August 23, 2002 NetBSD-1.6 beta: source prior to August 23, 2002 NetBSD-1.5.3 NetBSD-1.5.2 NetBSD-1.5.1 NetBSD-1.5 Impact: Denial of Service Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-016 ================================= Topic: Insufficient length check in ESP authentication data Version: NetBSD-current: source prior to August 23, 2002 NetBSD-1.6 beta: source prior to August 23, 2002 NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: not affected (no IPsec shipped with it) Severity: remote denial of service (kernel panic by malicious packet) Fixed: NetBSD-current: August 23, 2002 NetBSD-1.6 branch: August 23, 2002 (1.6 includes the fix) NetBSD-1.5 branch: September 5, 2002 Abstract ======== The KAME-based IPsec implementation included in NetBSD was missing some packet length checks, and could be tricked into passing negative value as buffer length. By transmiting a specially-formed (very short) ESP packet, a malicious sender can cause a cause kernel panic on the victim node. For the attack to be effective the attacker has to have knowledge of the ESP settings being used by the victim node (wiretapping traffic would achieve this). Also victim node has to be configured with certain ESP security-association (SA). The publication of this advisory is delayed to coordinate with third parties. Technical Details ================= http://www.kb.cert.org/vuls/id/459371 Your system is not vulnerable if: - you do not enable IPsec ESP in the kernel (options IPSEC_ESP), or - you do not have IPsec ESP SA with ESP authentication data setting active on your system. However, if you have IPSEC_ESP enabled, we suggest upgrading your kernel to bring in the fix, even if you are not presently using IPSec. Solutions and Workarounds ========================= The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. If you are using ESP with authentication, you must upgrade to avoid the vulnerability, as described below for your version of NetBSD: * NetBSD-current: Systems running NetBSD-current dated from before 2002-08-23 should be upgraded to NetBSD-current dated 2002-08-23 or later. The kernel code needs to be updated from the netbsd-1-6 CVS branch. To update from CVS: # cd src # cvs update -d -P sys See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel on how you rebuild the kernel. * NetBSD 1.6 betas: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-23 or later should be used. The kernel code needs to be updated from the netbsd-1-6 CVS branch. To update from CVS: # cd src # cvs update -d -P -r netbsd-1-6 sys See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel for instructions on how you rebuild the kernel. * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5 branch dated from before 2002-09-05 should be upgraded to NetBSD 1.5 tree dated 2002-09-05 or later. The kernel code needs to be updated from the netbsd-1-5 CVS branch. To update from CVS: # cd src # cvs update -d -P -r netbsd-1-5 sys See http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel for instructions on how you rebuild the kernel. Thanks To ========= Todd Sabin and BindView for analysis and report. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-10-22 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-016.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-016.txt,v 1.16 2002/10/22 00:27:56 itojun Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPbSbdD5Ru2/4N2IFAQGFwAQAlHyFjYgN3FMHu+V9SGRZVgVpUWgVYDHJ UWBKb/wNECmFHQ+pXNFmXfnV7Ly7OZCsiUiKVRHgkWqNH9r75WyAwmK7nEoPXAn8 w1fe7dVqpiuKL/uyDe3T/oWKGIbbGk7iU624TeJrB99aj6el2rB/jOdzu4LVIgRm 5rQdRYKniWM= =cNIB - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPbVWXyh9+71yA2DNAQFNOQP8C8I5a7LMn8x7+b948oGCq2Gte88aFBUF ehCwLAFOaLLBRjpKpJk9O+EHeTPJ/tTDrvGkD32vBIa3z0qFzW6bneKRSQbKXCo3 7y5dSQBeYDySoTHcBcZeeUFf8zTgsD5Yx47hG+14LuXc/7jmABcjUlkF5UdgMPEi slWJmYnJYX0= =aX2Q -----END PGP SIGNATURE-----