SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   isakmpd Vendors:   OpenBSD
isakmpd Payload Handling Flaw Lets Remote Users Crash the Daemon
SecurityTracker Alert ID:  1009468
SecurityTracker URL:  http://securitytracker.com/id/1009468
CVE Reference:   CAN-2004-0218, CAN-2004-0219, CAN-2004-0220, CAN-2004-0221, CAN-2004-0222   (Links to External Site)
Updated:  Mar 24 2004
Original Entry Date:  Mar 17 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Some vulnerabilities were reported in the ISAKMP daemon (isakmpd) in the processing of payloads. A remote user can cause the daemon to crash.

It is reported that there are flaws in the payload validation and processing functions. A remote user can send specially crafted ISAKMP messages to cause isakmpd to crash or to loop endlessly, the report said. Some memory leaks were also reported.

The 'doi.h', 'util.h', 'ipsec.c', 'isakmp_doi.c', and 'message.c' files are affected.

Rapid7 released an advisory describing the vulnerabilities in greater detail. The vulnerabilities were detected based on testing with the Rapid7 Striker ISAKMP Protocol Test Suite.

A remote user can send a packet with a user-defined length of 0 to cause the target daemon to enter an infinite loop attempting to parse the same payload repeatedly [CVE: CAN-2004-0218].

A remote user can reportedly send a specially crafted IPSec security association (SA) packet to cause the daemon to crash [CVE: CAN-2004-0219].

A remote user can send a specially crafted ISAKMP Cert Request payload to trigger an integer underflow and a resulting memory allocation failure [CVE: CAN-2004-0220].

It is also reported that a remote user can send a specially crafted ISAKMP Delete payload that contains a large number of security protocol identifiers (SPIs) to cause the target daemon to crash [CVE: CAN-2004-0221].

Finaly, a remote user can exploit some memory leaks in the processing of isakmpd packets to cause the target daemon to consume all available memory and crash [CVE: CAN-2004-0222].

Impact:   A remote user can cause isakmpd to crash or enter an endless loop.
Solution:   OpenBSD has issued fixes for OpenBSD, available at:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/015_isakmpd2.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/020_isakmpd2.patch

Vendor URL:  www.openbsd.org/ (Links to External Site)
Cause:   Boundary error, Exception handling error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Affects OpenBSD 3.3 and 3.4

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 24 2004 (Original Advisory is Available) isakmpd Payload Handling Flaw Lets Remote Users Crash the Daemon
Rapid7 has issued their advisory.



 Source Message Contents

Subject:  isakmpd memory corruption vulnerability



Several bugs have been found in the ISAKMP daemon which can lead to memory 
leaks and a remote denial of service condition. An attacker can craft 
malformed payloads that can cause the isakmpd(8) process to stop 
processing requests.

The problem is fixed in -current, 3.4-stable and 3.3-stable.

Patches are available at:

  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/015_isakmpd2.patch
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/020_isakmpd2.patch


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC