isakmpd Payload Handling Flaw Lets Remote Users Crash the Daemon
|
|
SecurityTracker Alert ID: 1009468 |
|
SecurityTracker URL: http://securitytracker.com/id/1009468
|
|
CVE Reference:
CAN-2004-0218, CAN-2004-0219, CAN-2004-0220, CAN-2004-0221, CAN-2004-0222
(Links to External Site)
|
Updated: Mar 24 2004
|
Original Entry Date: Mar 17 2004
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
Some vulnerabilities were reported in the ISAKMP daemon (isakmpd) in the processing of payloads. A remote user can cause the daemon to crash.
It is reported that there are flaws in the payload validation and processing functions. A remote user can send specially crafted ISAKMP messages to cause isakmpd to crash or to loop endlessly, the report said. Some memory leaks were also reported.
The 'doi.h', 'util.h', 'ipsec.c', 'isakmp_doi.c', and 'message.c' files are affected.
Rapid7 released an advisory describing the vulnerabilities in greater detail. The vulnerabilities were detected based on testing with the Rapid7 Striker ISAKMP Protocol Test Suite.
A remote user can send a packet with a user-defined length of 0 to cause the target daemon to enter an infinite loop attempting to parse the same payload repeatedly [CVE: CAN-2004-0218].
A remote user can reportedly send a specially crafted IPSec security association (SA) packet to cause the daemon to crash [CVE: CAN-2004-0219].
A remote user can send a specially crafted ISAKMP Cert Request payload to trigger an integer underflow and a resulting memory allocation failure [CVE: CAN-2004-0220].
It is also reported that a remote user can send a specially crafted ISAKMP Delete payload that contains a large number of security protocol identifiers (SPIs) to cause the target daemon to crash [CVE: CAN-2004-0221].
Finaly, a remote user can exploit some memory leaks in the processing of isakmpd packets to cause the target daemon to consume all available memory and crash [CVE: CAN-2004-0222].
|
Impact:
A remote user can cause isakmpd to crash or enter an endless loop.
|
Solution:
OpenBSD has issued fixes for OpenBSD, available at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/015_isakmpd2.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/020_isakmpd2.patch
|
Vendor URL: www.openbsd.org/ (Links to External Site)
|
Cause:
Boundary error, Exception handling error, Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 17 Mar 2004 10:59:32 -0700 (MST)
Subject: isakmpd memory corruption vulnerability
|
Several bugs have been found in the ISAKMP daemon which can lead to memory
leaks and a remote denial of service condition. An attacker can craft
malformed payloads that can cause the isakmpd(8) process to stop
processing requests.
The problem is fixed in -current, 3.4-stable and 3.3-stable.
Patches are available at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/015_isakmpd2.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/020_isakmpd2.patch
|
|
