netbsd-announce: NetBSD Security Advisory 2005-007: AES-XCBC-MAC (IPsec AH) calculated using fixed key

Subject: NetBSD Security Advisory 2005-007: AES-XCBC-MAC (IPsec AH) calculated using fixed key
To: None <netbsd-announce@netbsd.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: netbsd-announce
Date: 11/08/2005 09:57:46
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2005-007
		 =================================

Topic:		AES-XCBC-MAC (IPsec AH) calculated using fixed key

Version:	NetBSD-current:	source prior to July 28, 2005
		NetBSD 2.1:	not affected
		NetBSD 2.0.3:	not affected
		NetBSD 2.0.2:	affected
		NetBSD 2.0:	affected
		NetBSD 1.6.*:	unaffected

Severity:	Affected SAs lack integrity protection so an attacker
		can forge data and have it be wrongly accepted

Fixed:		NetBSD-current:		July 28, 2005
		NetBSD-3 branch:	July 28, 2005
						(3.0 will include the fix)
		NetBSD-2.0 branch:	July 28, 2005 
						(2.0.3 includes the fix)
		NetBSD-2 branch:	July 28, 2005
						(2.1 includes the fix)


Abstract
========

Machines using IPsec [RFC2401] with AH and AES-XCBC-MAC algorithm
[RFC3566] incorrectly used a fixed key instead of the provided one.
Because a known key is used, affected Security Associations lack
integrity and data origin authentication protection, and an attacker
could send forged packets which would be accepted by the receiver.


Technical Details
=================

An error in the implementation of the AES-XCBC-MAC algorithm, used by
IPsec SAs for authentication, did not encrypt r_k1s in
ah_aes_xcbc_mac_init(), and only seeded it with the constant in
k1seed.

r_k1s was later passed as the encryption key to rijndaelEncrypt() by
ah_aes_xcbc_mac_loop() and ah_aes_xcbc_mac_result(), causing them to
use the same encryption key for authentication, without using the
key (set by the admin) passed from userland.

Because of this error, a receiving system using AH with AES-XCBC-MAC
checks an IPsec datagram with a fixed and known key.  An attacker
could create a forged packet with a valid Integrity Check Value,
causing the receiver to accept the packet.  Also, systems with this
bug would not interoperate with systems with the correct key.

If AH with AES-XCBC-MAC is used without confidentiality protection
(e.g. ESP [RFC2406]), an attacker can trivially cause data of his
choice to be received and processed.  With confidentiality protection,
causing particular data to be processed is harder, but note that in
general confidentiality mechanisms do not provide effective integrity
protection.


Solutions and Workarounds
=========================

A workaround is to not use the AES-XCBC-MAC algorithm for authentication,
but it is highly recommended that any users of affected NetBSD versions
upgrade their kernel.

The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new version of
the kernel.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2005-07-28
	should be upgraded to NetBSD-current dated 2005-07-29 or later.
	(Systems built from the netbsd-3 branch should be upgraded to
	2005-07-29 or later.)

	The following files need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/sys/netinet6/ah_aesxcbcmac.c

	To update from CVS, re-build, and re-install the kernel:
		# cd src
		# cvs update -d -P sys/netinet6/ah_aesxcbcmac.c
		# ./build.sh kernel=GENERIC
		# mv /netbsd /netbsd.old
		# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
		# shutdown -r now


* NetBSD 2.x:

	Systems built from source along the netbsd-2 or netbsd-2-0 branches
	dated from before 2005-07-28 should be upgraded from sources dated
	2005-07-29 or later. This includes the binary distributions of
	NetBSD 2.0 and NetBSD 2.0.2.

	NetBSD 2.1 includes the fix.

	The following files should be updated from CVS:
		src/sys/netinet6/ah_aesxcbcmac.c

	To update from CVS, verify that your sources are from the correct
	branch, re-build, and re-install the kernel:

		# cd src
		# cvs update -d -P sys/netinet6/ah_aesxcbcmac.c
		# ./build.sh kernel=GENERIC
		# mv /netbsd /netbsd.old
		# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
		# shutdown -r now


* NetBSD 1.6 (and subsequent point releases) do not include
  AES-XCBC-MAC and are thus unaffected.


Thanks To
=========

Yukiyo Akisada for reporting the bug to KAME.
SUZUKI Shinsuike for reporting the bug to NetBSD.
Christos Zoulas for quickly adapting the fix to NetBSD.


Revision History
================

	2005-10-31	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-007.txt,v 1.8 2005/10/31 06:41:04 gendalia Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fKdD5Ru2/4N2IFAQIEUQQAlpQMrJ1YeDOC4SggrVbxTgwr6HtZzSU6
Rl7F1fQybzN4tcUnYo3m20k57IKLr94SDOUI5rrL9O0qU8Oz/V7V8hI48Z82HXk9
gk2yFnWgeTYOOttSPXkEU7/ohDKibQXK6+1JTG3L3NTAAmphTBai0nxii0iNN9Vk
wdIxN4YcaqA=
=GnoS
-----END PGP SIGNATURE-----