CVE-2002-0414
CVSS7.5
发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-05 16:27:57
NMCO    

[原文]KAME-derived implementations of IPsec on NetBSD 1.5.2, FreeBSD 4.5, and other operating systems, does not properly consult the Security Policy Database (SPD), which could cause a Security Gateway (SG) that does not use Encapsulating Security Payload (ESP) to forward forged IPv4 packets.


[CNNVD]Kame的Stack Non-ESP IPV4转发包策略可绕过漏洞(CNNVD-200208-060)

        
        KAME是一款免费的开放源代码的IPv6和IPSec实现,由KAME项目组发行和维护。
        KAME在IPv4的封装安全负载(Encapsulating Security Payload )实现上存在漏洞,可导致转发包策略可绕过。
        在某些环境下,KAME没有使用RFC相关协议而自己建立了一套安全实现环境,当IPv4网络在一系统和使用非封装安全负载(ESP)通信阻塞,在安全网关的路由末端之间使用封装安全负载(ESP)时,发送给安全网关的非封装安全负载(ESP)通信会被安全网关转发。这可以允许任意访问网络的攻击者通过安全网关与外界网络通信。必须注意的是本来任意主机通过安全网关的通信会被阻塞,因为路由实现能正确的处理这种通信类型。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:netbsd:netbsd:1.5.2NetBSD 1.5.2
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1
cpe:/o:openbsd:openbsd:2.6OpenBSD 2.6
cpe:/o:openbsd:openbsd:2.7OpenBSD 2.7
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0414
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0414
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-060
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4224
(VENDOR_ADVISORY)  BID  4224
http://www.iss.net/security_center/static/8416.php
(VENDOR_ADVISORY)  XF  kame-forged-packet-forwarding(8416)
http://www.securityfocus.com/archive/1/259598
(VENDOR_ADVISORY)  BUGTRAQ  20020304 BSD: IPv4 forwarding doesn't consult inbound SPD in KAME-derived IPsec
http://orange.kame.net/dev/cvsweb.cgi/kame/CHANGELOG
(UNKNOWN)  CONFIRM  http://orange.kame.net/dev/cvsweb.cgi/kame/CHANGELOG
http://www.osvdb.org/5304
(UNKNOWN)  OSVDB  5304
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0057.html
(UNKNOWN)  VULNWATCH  20020304 [VulnWatch] BSD: IPv4 forwarding doesn't consult inbound SPD in KAME-derived IPsec

- 漏洞信息

Kame的Stack Non-ESP IPV4转发包策略可绕过漏洞
高危 未知
2002-08-12 00:00:00 2005-05-02 00:00:00
远程  
        
        KAME是一款免费的开放源代码的IPv6和IPSec实现,由KAME项目组发行和维护。
        KAME在IPv4的封装安全负载(Encapsulating Security Payload )实现上存在漏洞,可导致转发包策略可绕过。
        在某些环境下,KAME没有使用RFC相关协议而自己建立了一套安全实现环境,当IPv4网络在一系统和使用非封装安全负载(ESP)通信阻塞,在安全网关的路由末端之间使用封装安全负载(ESP)时,发送给安全网关的非封装安全负载(ESP)通信会被安全网关转发。这可以允许任意访问网络的攻击者通过安全网关与外界网络通信。必须注意的是本来任意主机通过安全网关的通信会被阻塞,因为路由实现能正确的处理这种通信类型。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        Greg Troxel <gdt@ir.bbn.com>提供了第三方补丁程序:
        NetBSD netbsd-1-5的补丁程序:
        Index: src/sys/netinet/ip_input.c
        ===================================================================
        RCS file: /NETBSD-CVS/netbsd/src/sys/netinet/ip_input.c,v
        retrieving revision 1.1.1.1
        diff -u -r1.1.1.1 ip_input.c
        --- src/sys/netinet/ip_input.c 2001/07/05 14:42:54 1.1.1.1
        +++ src/sys/netinet/ip_input.c 2002/02/25 01:07:02
        @@ -611,6 +611,15 @@
        ipstat.ips_cantforward++;
        m_freem(m);
        } else {
        +#ifdef IPSEC
        + /*
        + * Enforce inbound IPsec SPD.
        + */
        + if (ipsec4_in_reject(m, NULL)) {
        + ipsecstat.in_polvio++;
        + goto bad;
        + }
        +#endif
        /*
        * If ip_dst matched any of my address on !IFF_UP interface,
        * and there's no IFF_UP interface that matches ip_dst,
        FreeBSD RELENG_4的补丁程序:
        Index: src/sys/netinet/ip_input.c
        ===================================================================
        RCS file: /FREEBSD-CVS/src/sys/netinet/ip_input.c,v
        retrieving revision 1.130.2.31
        diff -u -r1.130.2.31 ip_input.c
        --- src/sys/netinet/ip_input.c 2001/12/15 01:06:27 1.130.2.31
        +++ src/sys/netinet/ip_input.c 2002/02/24 16:10:26
        @@ -625,8 +625,18 @@
        if (ipforwarding == 0) {
        ipstat.ips_cantforward++;
        m_freem(m);
        - } else
        + } else {
        +#ifdef IPSEC
        + /*
        + * Enforce inbound IPsec SPD.
        + */
        + if (ipsec4_in_reject(m, NULL)) {
        + ipsecstat.in_polvio++;
        + goto bad;
        + }
        +#endif /* IPSEC */
        ip_forward(m, 0);
        + }
        #ifdef IPFIREWALL_FORWARD
        ip_fw_fwd_addr = NULL;
        #endif
        厂商补丁:
        OpenBSD
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://www.openbsd.org

- 漏洞信息

5304
KAME-derived IPsec Forged IPv4 Packet Forwarding
Local Access Required, Remote / Network Access Misconfiguration
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Implementations of IPSec derived from KAME contain a flaw that may allow a malicious user to spoof IPv4 packets through a security gateway and have them appear authenticated. The issue is triggered when the security gateway is configured to require encapsulating service payload (ESP). The gateway fails to check its security policy database. It is possible that the flaw may allow spoofed or non-encapsulated packets through, resulting in a loss of confidentiality and/or integrity.

- 时间线

2002-03-04 Unknow
2002-03-04 Unknow

- 解决方案

Upgrade to an appropriate version of the software -- KAME 1.2088 (1.37 for NetBSD, 1.33 for FreeBSD-4, 1.33), NetBSD -current (1.145) and 1.5-stable (1.114.4.8), or FreeBSD -current (1.192) and -stable (1.130.2.35), or higher, as this has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patches and recompiling.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站