发布时间 :2004-05-04 00:00:00
修订时间 :2016-10-17 22:42:00

[原文]isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (infinite loop) via an ISAKMP packet with a zero-length payload, as demonstrated by the Striker ISAKMP Protocol Test Suite.

[CNNVD]OpenBSD ISAKMPD零负载长度远程拒绝服务漏洞(CNNVD-200405-032)


- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities
(PATCH)  OPENBSD  20040317 015: RELIABILITY FIX: March 17, 2004
(UNKNOWN)  BID  10028
(VENDOR_ADVISORY)  XF  openbsd-isakmp-zerolength-dos(15518)

- 漏洞信息

OpenBSD ISAKMPD零负载长度远程拒绝服务漏洞
中危 其他
2004-05-04 00:00:00 2005-10-20 00:00:00

- 公告与补丁

        OpenBSD OpenBSD 3.3:
        OpenBSD Patch 020_isakmpd2.patch
        OpenBSD OpenBSD 3.4:
        OpenBSD Patch 015_isakmpd2.patch

- 漏洞信息 (F32945)

Rapid7 Security Advisory 18 (PacketStormID:F32945)
2004-03-24 00:00:00
advisory,denial of service,vulnerability

Rapid7 Security Advisory - OpenBSD isakmpd payload handling is subject to multiple denial of service vulnerabilities. Known vulnerable: OpenBSD 3.4 and earlier, OpenBSD-current as of March 17, 2004.

Hash: SHA1

                     Rapid7, Inc. Security Advisory
       Visit to download NeXpose,
        the world's most advanced vulnerability scanner.
      Linux and Windows 2000/XP versions are available now!

Rapid7 Advisory R7-0018
OpenBSD isakmpd payload handling denial-of-service vulnerabilities

   Published:  March 23, 2004
   Revision:   1.0

   CVE:    CAN-2004-0218, CAN-2004-0219, CAN-2004-0220, CAN-2004-0221,

1. Affected system(s):

    o OpenBSD 3.4 and earlier
    o OpenBSD-current as of March 17, 2004

2. Summary

   The ISAKMP packet processing functions in OpenBSD's isakmpd
   daemon contain multiple payload handling flaws that allow
   a remote attacker to launch a denial of service attack
   against the daemon.

   Carefully crafted ISAKMP packets will cause the isakmpd daemon
   to attempt out-of-bounds reads, exhaust available memory, or
   loop endlessly (consuming 100% of the CPU).

3. Vendor status and information


   OpenBSD has been notified of the issues and they have provided
   source code patches to fix the problems for -current, 3.4-stable,
   and 3.3-stable.  See for
   more information.

   The isakmpd daemon in the upcoming OpenBSD 3.5 release will be
   privilege-separated, which greatly lessens the risk of any
   future vulnerabilities that may be found.

4. Solution

   Update and rebuild the isakmpd daemon:

      cd /usr/src/sbin/isakmpd
      cvs update -dP
      make clean && make obj && make && sudo make install

   You can also apply the appropriate patches from instead of using CVS.

5. Detailed analysis

   To test the security and robustness of IPSEC implementations
   from multiple vendors, the security research team at Rapid7
   has designed the Striker ISAKMP Protocol Test Suite.  Striker
   is an ISAKMP packet generation tool that automatically produces
   and sends invalid and/or atypical ISAKMP packets.

   This advisory is the first in a series of vulnerability
   disclosures discovered with the Striker test suite.  Striker
   will be made available to qualified IPSEC vendors.  Please
   email for more information on obtaining

   OpenBSD's isakmpd daemon performs insufficient validation on
   payload lengths and payload field lengths before attempting to
   read the fields.  This results in out-of-bounds reads in several

   Denial of service by 0-length ISAKMP payload
   CVE ID: CAN-2004-0218

      An ISAKMP packet with a malformed payload having a self-reported
      payload length of zero will cause isakmpd to enter an infinite
      loop, parsing the same payload over and over again.

      This issue is similar to CAN-2003-0989, which affected TCPDUMP.

   Denial of service by various malformed ISAKMP IPSEC SA payload
   CVE ID: CAN-2004-0219

      An ISAKMP packet with a malformed IPSEC SA payload will
      cause isakmpd to read out of bounds and crash.

   Denial of service by malformed ISAKMP Cert Request payload
   CVE ID: CAN-2004-0220

      An ISAKMP packet with a malformed Cert Request payload
      will cause an integer underflow, resulting in a failed
      malloc of a huge amount of memory.

   Denial of service by malformed ISAKMP Delete payload
   CVE ID: CAN-2004-0221

      An ISAKMP packet with a malformed delete payload having
      a large number of SPIs will cause isakmpd to read out of
      bounds and crash.

   Denial of service by various memory leaks
   CVE ID: CAN-2004-0222

      Various memory leaks in packet processing can be triggered
      by a remote attacker until all available memory is exhausted,
      resulting in eventual termination of the daemon.

6. Contact Information

   Rapid7 Security Advisories
   Phone:  +1 (617) 603-0700

7. Disclaimer and Copyright

   Rapid7, LLC is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2004 Rapid7, LLC.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.
Version: GnuPG v1.2.2 (OpenBSD)


- 漏洞信息

OpenBSD isakmpd Zero-length Payload Handling DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Unknown

- 漏洞描述

OpenBSD contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends a specially crafted isakmp packet, and will result in loss of availability for the service.

- 时间线

2004-03-23 2004-03-23
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, OpenBSD has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

OpenBSD ISAKMPD Zero Payload Length Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 10028
Yes No
2004-03-17 12:00:00 2009-07-12 04:06:00
This issue was first publicly reported by the vendor.

- 受影响的程序版本

OpenBSD OpenBSD 3.4
OpenBSD OpenBSD 3.3
OpenBSD OpenBSD -current

- 漏洞讨论

A remote denial of service vulnerability exists in OpenBSD's isakmpd daemon. This issue is due to a failure of the process to handle malformed ISAKMP packets.

This issue could be leveraged to cause the affected isakmpd daemon to enter an infinite loop, effectively denying service to legitimate users.

This issue was previously reported in OpenBSD isakmpd Multiple Unspecified Remote Denial Of Service Vulnerabilities (BID 9907). That BID will be retired.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 解决方案

The vendor has supplied patches to address these issue:

OpenBSD OpenBSD 3.4

OpenBSD OpenBSD 3.3

- 相关参考