Subject: NetBSD Security Advisory 2002-003: IPv4 forwarding doesn't consult inbound SPD
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: tech-security
Date: 03/12/2002 14:04:35
-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-003
		 =================================

Topic:		IPv4 forwarding doesn't consult inbound SPD

Version:	NetBSD-current:	source prior to Feb 26, 2002
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	not affected
		NetBSD-1.4.*:	not affected (no IPsec support)

Severity:	packets mistakenly go through VPN gateway

Fixed:		NetBSD-current:		Feb 26, 2002
		NetBSD-1.5 branch:	Feb 26, 2002 (1.5.3 will include the fix)


Abstract
========

There was a bug in the IPv4 forwarding path, and the inbound SPD
(security policy database) was not consulted on forwarding.  As a
result, NetBSD routers configured to be a VPN gateway failed to reject
unencrypted packets.

The problem affects NetBSD systems with the following configuration only:
- - an IPv4 router (forwards IPv4 packet, net.inet.ip.forwarding=1)
- - configured as VPN gateway (has tunnel-mode IPsec policy)


Technical Details
=================

http://online.securityfocus.com/archive/1/259598


Solutions and Workarounds
=========================

If your system is affected, you must upgrade your kernel (/netbsd).

The following instructions describe how to upgrade your kernel
by updating your source tree and rebuilding and installing a new version.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-02-25
	should be upgraded to NetBSD-current dated 2002-02-26 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		sys/netinet/ip_input.c

	To update from CVS, re-build, re-install the kernel and reboot:
		% cd src
		% cvs update -d -P sys/netinet


	Then build and install a new kernel. If you are not familiar
	with this process, documentation is available at:

		http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel


* NetBSD 1.5.1, 1.5.2:

	Systems running NetBSD 1.5.1 or 1.5.2 sources dated from
	before 2002-02-25 should be upgraded from NetBSD 1.5.*
	sources dated 2002-02-26 or later.

	NetBSD 1.5 is not vulnerable. NetBSD 1.5.3 will include the fix.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		sys/netinet/ip_input.c

	To update from CVS, re-build, re-install the kernel, and reboot:

		% cd src
		% cvs update -d -P sys/netinet


        Alternatively, apply the following patch (with potential offset
        differences):

                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-003-SPD-1.5.patch

        To patch:

                # cd src
                # patch < /path/to/SA2002-003-SPD-1.5.patch



	Then build and install a new kernel. If you are not familiar
	with this process, documentation is available at:

		http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel


Thanks To
=========

Greg Troxel and Bill Chiarchiaro

Jun-ichiro itojun Hagino for patches, and preparing advisory text.


Revision History
================

	2002-03-11	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-003.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-003.txt,v 1.5 2002/03/12 16:49:16 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPI4yFD5Ru2/4N2IFAQGd6gP/VrivjrjqlvdAratqXGfv4TDRGHjnYzbh
Giptuvn6TiEI/pLx4n9f5zd8BHr+1qITVlm9WNJkHTbnw+nLCQQAGR6Hwv/LwIX2
16Eb+ogWQnRPm8CyF/YzZyFzMMYKAWnI8ZMYVg2yXjNzbA8xtEcJL1vOxpCZYM9/
bJ/EpJ6V6F0=
=4VSK
-----END PGP SIGNATURE-----