NetBSD Security Advisory 2008-012: Denial of service issues in racoon(8)

To: tech-security%NetBSD.org@localhost
Subject: NetBSD Security Advisory 2008-012: Denial of service issues in racoon(8)
From: NetBSD Security-Officer <security-officer%netbsd.org@localhost>
Date: Mon, 15 Sep 2008 22:04:13 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 NetBSD Security Advisory 2008-012
                 =================================

Topic:          Denial of service issues in racoon(8)

Version:        NetBSD-current:         affected
                NetBSD 4.0:             affected
                NetBSD 3.1.*:           not affected
                NetBSD 3.1:             not affected
                NetBSD 3.0.*:           not affected
                NetBSD 3.0:             not affected

Severity:       Denial of service

Fixed:          NetBSD-current:         August 12, 2008
                NetBSD-4-0 branch:      August 18, 2008
                        (4.0.1 will include the fix)
                NetBSD-4 branch:        August 18, 2008
                        (4.1 will include the fix)
                pkgsrc:                 ipsec-tools-0.7.1 corrects the issue


Abstract
========

Currently racoon(8) does not remove orphaned ph1s initiated by a remote side.
As a result of this a potential denial of service issue can occur.

This vulnerability has been assigned CVE-2008-3652.

Technical Details
=================

When racoon(8) receives an invalid packet from a peer, it keeps the ph1handle
and expects the peer to resend a valid packet.  If the peers invalid packet 
is the first exchange (typically an SA exchange with no valid proposal), 
the freshly created ph1handle will never be be removed, which is in fact 
a memory leak.

A legitimate peer with invalid configuration, or an attacker, which will
send SA exchanges with no valid proposal can create a Denial of
Service if it can generate enough ph1handles (racoon will slow down
every time it will search for a ph1handle, then may run out of
memory).


Solutions and Workarounds
=========================

Only kernels compiled with the following option are vulnerable to this issue:

        options IPSEC

As a temporary workaround recompile the kernel with the above option 
commented out.  The default NetBSD GENERIC kernels do not have this
option enabled.  In addition to this the system must be running the 
racoon(8) daemon which is not enabled by default.

An additional workaround can be to add filtering rules to ensure only 
legitimate peers can send IKE exchanges (port 500/udp).

The following instructions describe how to upgrade your ipsec-tools
binaries by updating your source tree and rebuilding and installing
a new version of ipsec-tools.

* NetBSD-current:

        Systems running NetBSD-current dated from before 2008-08-12
        should be upgraded to NetBSD-current dated 2008-08-13 or later.

        The following files/directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                crypto/dist/ipsec-tools/src/racoon/isakmp.c

        To update from CVS, re-build, and re-install ipsec-tools:

                # cd src
                # cvs update crypto/dist/ipsec-tools/src/racoon/isakmp.c
                # cd usr.sbin/racoon
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


* NetBSD 4.*:

        Systems running NetBSD 4.* sources dated from before
        2008-08-18 should be upgraded from NetBSD 4.* sources dated
        2008-08-19 or later.

        The following files/directories need to be updated from the
        netbsd-4 or netbsd-4-0 branches:
                crypto/dist/ipsec-tools

        To update from CVS, re-build, and re-install ipsec-tools:

                # cd src
                # cvs update -r <branch_name> -d -P crypto/dist/ipsec-tools
                # cd lib/libipsec
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../../sbin/setkey
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../../usr.sbin/racoon
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


Revision History
================

        2008-09-15      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-012.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2008-012.txt,v 1.1 2008/09/14 16:00:24 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSM01az5Ru2/4N2IFAQJ7DAP/ZEUdji6OcZrDCmUygn/TsLkm6Tv4Q/KO
n3Fi4sLiBy/8x4cjpsUA4kB2+44SJ9NUoxKt69JUlwrOovIFbf8PAvdlvKRlkvrZ
Pc21cDYNUMYAmD+Eo9bAQn90pt8qfY4aO3CMDZ+zd6GrZKSvF7oczcu7yXsT79Cn
Do2HVYOYuvs=
=86Ym
-----END PGP SIGNATURE-----

Prev by Date: NetBSD Security Advisory 2008-011: ICMPv6 MLD query
Next by Date: Full disk encryption?
Previous by Thread: NetBSD Security Advisory 2008-011: ICMPv6 MLD query
Next by Thread: Full disk encryption?
Indexes:

Home | Main Index | Thread Index | Old Index