Subject: NetBSD Security Advisory 2002-003: IPv4 forwarding doesn't consult inbound SPD
To: None <netbsd-announce@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: netbsd-announce
Date: 03/12/2002 14:02:33
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-003
=================================
Topic: IPv4 forwarding doesn't consult inbound SPD
Version: NetBSD-current: source prior to Feb 26, 2002
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: not affected
NetBSD-1.4.*: not affected (no IPsec support)
Severity: packets mistakenly go through VPN gateway
Fixed: NetBSD-current: Feb 26, 2002
NetBSD-1.5 branch: Feb 26, 2002 (1.5.3 will include the fix)
Abstract
========
There was a bug in the IPv4 forwarding path, and the inbound SPD
(security policy database) was not consulted on forwarding. As a
result, NetBSD routers configured to be a VPN gateway failed to reject
unencrypted packets.
The problem affects NetBSD systems with the following configuration only:
- - an IPv4 router (forwards IPv4 packet, net.inet.ip.forwarding=1)
- - configured as VPN gateway (has tunnel-mode IPsec policy)
Technical Details
=================
http://online.securityfocus.com/archive/1/259598
Solutions and Workarounds
=========================
If your system is affected, you must upgrade your kernel (/netbsd).
The following instructions describe how to upgrade your kernel
by updating your source tree and rebuilding and installing a new version.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-02-25
should be upgraded to NetBSD-current dated 2002-02-26 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
sys/netinet/ip_input.c
To update from CVS, re-build, re-install the kernel and reboot:
% cd src
% cvs update -d -P sys/netinet
Then build and install a new kernel. If you are not familiar
with this process, documentation is available at:
http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
* NetBSD 1.5.1, 1.5.2:
Systems running NetBSD 1.5.1 or 1.5.2 sources dated from
before 2002-02-25 should be upgraded from NetBSD 1.5.*
sources dated 2002-02-26 or later.
NetBSD 1.5 is not vulnerable. NetBSD 1.5.3 will include the fix.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
sys/netinet/ip_input.c
To update from CVS, re-build, re-install the kernel, and reboot:
% cd src
% cvs update -d -P sys/netinet
Alternatively, apply the following patch (with potential offset
differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-003-SPD-1.5.patch
To patch:
# cd src
# patch < /path/to/SA2002-003-SPD-1.5.patch
Then build and install a new kernel. If you are not familiar
with this process, documentation is available at:
http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
Thanks To
=========
Greg Troxel and Bill Chiarchiaro
Jun-ichiro itojun Hagino for patches, and preparing advisory text.
Revision History
================
2002-03-11 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-003.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-003.txt,v 1.5 2002/03/12 16:49:16 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPI4yFD5Ru2/4N2IFAQGd6gP/VrivjrjqlvdAratqXGfv4TDRGHjnYzbh
Giptuvn6TiEI/pLx4n9f5zd8BHr+1qITVlm9WNJkHTbnw+nLCQQAGR6Hwv/LwIX2
16Eb+ogWQnRPm8CyF/YzZyFzMMYKAWnI8ZMYVg2yXjNzbA8xtEcJL1vOxpCZYM9/
bJ/EpJ6V6F0=
=4VSK
-----END PGP SIGNATURE-----