CVE-2004-0220
CVSS10.0
发布时间 :2004-05-04 00:00:00
修订时间 :2016-10-17 22:42:03
NMCOPS    

[原文]isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service via an ISAKMP packet with a malformed Cert Request payload, which causes an integer underflow that is used in a malloc operation that is not properly handled, as demonstrated by the Striker ISAKMP Protocol Test Suite.


[CNNVD]OpenBSD ISAKMPD畸形CERT请求负载远程拒绝服务漏洞(CNNVD-200405-012)

        
        OpenBSD是一款开放源代码操作系统。isakmpd是一款IKE守护程序实现。
        OpenBSD的isakmpd接收到带有畸形CERT请求负载的isakmp包时,会引起整数溢出,导致错误的分配大量内存而崩溃。
        目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0220
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0220
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200405-012
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108008530028019&w=2
(UNKNOWN)  BUGTRAQ  20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities
http://www.kb.cert.org/vuls/id/223273
(UNKNOWN)  CERT-VN  VU#223273
http://www.openbsd.org/errata.html
(PATCH)  OPENBSD  20040317 015: RELIABILITY FIX: March 17, 2004
http://www.rapid7.com/advisories/R7-0018.html
(UNKNOWN)  MISC  http://www.rapid7.com/advisories/R7-0018.html
http://www.securityfocus.com/bid/9907
(UNKNOWN)  BID  9907
http://www.securitytracker.com/alerts/2004/Mar/1009468.html
(UNKNOWN)  SECTRACK  1009468
http://xforce.iss.net/xforce/xfdb/15629
(VENDOR_ADVISORY)  XF  openbsd-isakmp-integer-underflow(15629)

- 漏洞信息

OpenBSD ISAKMPD畸形CERT请求负载远程拒绝服务漏洞
危急 其他
2004-05-04 00:00:00 2007-01-24 00:00:00
远程  
        
        OpenBSD是一款开放源代码操作系统。isakmpd是一款IKE守护程序实现。
        OpenBSD的isakmpd接收到带有畸形CERT请求负载的isakmp包时,会引起整数溢出,导致错误的分配大量内存而崩溃。
        目前没有详细漏洞细节提供。
        

- 公告与补丁

        厂商补丁:
        OpenBSD
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        OpenBSD OpenBSD 3.3:
        OpenBSD Patch 020_isakmpd2.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/020_isakmpd2.patch
        OpenBSD OpenBSD 3.4:
        OpenBSD Patch 015_isakmpd2.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/015_isakmpd2.patch

- 漏洞信息 (F32945)

Rapid7 Security Advisory 18 (PacketStormID:F32945)
2004-03-24 00:00:00
Rapid7  rapid7.com
advisory,denial of service,vulnerability
openbsd
CVE-2004-0218,CVE-2004-0219,CVE-2004-0220,CVE-2004-0221,CVE-2004-0222
[点击下载]

Rapid7 Security Advisory - OpenBSD isakmpd payload handling is subject to multiple denial of service vulnerabilities. Known vulnerable: OpenBSD 3.4 and earlier, OpenBSD-current as of March 17, 2004.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid7, Inc. Security Advisory
       Visit http://www.rapid7.com/ to download NeXpose,
        the world's most advanced vulnerability scanner.
      Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0018
OpenBSD isakmpd payload handling denial-of-service vulnerabilities

   Published:  March 23, 2004
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0018.html

   CVE:    CAN-2004-0218, CAN-2004-0219, CAN-2004-0220, CAN-2004-0221,
           CAN-2004-0222

1. Affected system(s):

   KNOWN VULNERABLE:
    o OpenBSD 3.4 and earlier
    o OpenBSD-current as of March 17, 2004

2. Summary

   The ISAKMP packet processing functions in OpenBSD's isakmpd
   daemon contain multiple payload handling flaws that allow
   a remote attacker to launch a denial of service attack
   against the daemon.

   Carefully crafted ISAKMP packets will cause the isakmpd daemon
   to attempt out-of-bounds reads, exhaust available memory, or
   loop endlessly (consuming 100% of the CPU).

3. Vendor status and information

   OpenBSD
   http://www.openbsd.org

   OpenBSD has been notified of the issues and they have provided
   source code patches to fix the problems for -current, 3.4-stable,
   and 3.3-stable.  See http://www.openbsd.org/errata.html for
   more information.

   The isakmpd daemon in the upcoming OpenBSD 3.5 release will be
   privilege-separated, which greatly lessens the risk of any
   future vulnerabilities that may be found.

4. Solution

   Update and rebuild the isakmpd daemon:

      cd /usr/src/sbin/isakmpd
      cvs update -dP
      make clean && make obj && make && sudo make install

   You can also apply the appropriate patches from
   http://www.openbsd.org/errata.html instead of using CVS.

5. Detailed analysis

   To test the security and robustness of IPSEC implementations
   from multiple vendors, the security research team at Rapid7
   has designed the Striker ISAKMP Protocol Test Suite.  Striker
   is an ISAKMP packet generation tool that automatically produces
   and sends invalid and/or atypical ISAKMP packets.

   This advisory is the first in a series of vulnerability
   disclosures discovered with the Striker test suite.  Striker
   will be made available to qualified IPSEC vendors.  Please
   email advisory@rapid7.com for more information on obtaining
   Striker.

   OpenBSD's isakmpd daemon performs insufficient validation on
   payload lengths and payload field lengths before attempting to
   read the fields.  This results in out-of-bounds reads in several
   cases.

   Denial of service by 0-length ISAKMP payload
   CVE ID: CAN-2004-0218

      An ISAKMP packet with a malformed payload having a self-reported
      payload length of zero will cause isakmpd to enter an infinite
      loop, parsing the same payload over and over again.

      This issue is similar to CAN-2003-0989, which affected TCPDUMP.

   Denial of service by various malformed ISAKMP IPSEC SA payload
   CVE ID: CAN-2004-0219

      An ISAKMP packet with a malformed IPSEC SA payload will
      cause isakmpd to read out of bounds and crash.

   Denial of service by malformed ISAKMP Cert Request payload
   CVE ID: CAN-2004-0220

      An ISAKMP packet with a malformed Cert Request payload
      will cause an integer underflow, resulting in a failed
      malloc of a huge amount of memory.

   Denial of service by malformed ISAKMP Delete payload
   CVE ID: CAN-2004-0221

      An ISAKMP packet with a malformed delete payload having
      a large number of SPIs will cause isakmpd to read out of
      bounds and crash.

   Denial of service by various memory leaks
   CVE ID: CAN-2004-0222

      Various memory leaks in packet processing can be triggered
      by a remote attacker until all available memory is exhausted,
      resulting in eventual termination of the daemon.

6. Contact Information

   Rapid7 Security Advisories
   Email:  advisory@rapid7.com
   Web:    http://www.rapid7.com/
   Phone:  +1 (617) 603-0700

7. Disclaimer and Copyright

   Rapid7, LLC is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2004 Rapid7, LLC.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFAYKLaMiAxz4wsmx8RArx0AJwOnkTk/Ej5JRjezz+Ll2eiPmYpYACfQUyd
gYqp1RZ5ArQEZ9ZRpHlSal4=
=FIVu
-----END PGP SIGNATURE-----
    

- 漏洞信息

5699
OpenBSD isakmpd Cert Request Payload Handling DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Unknown

- 漏洞描述

OpenBSD contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends a specially-crafted ISAKMP packet containing a malformed Cert Request payload, and will result in loss of availability for the service.

- 时间线

2004-03-23 2004-03-23
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, OpenBSD has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

OpenBSD ISAKMPD Malformed CERT Request Payload Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 10030
Yes No
2004-03-17 12:00:00 2009-07-12 04:06:00
This issue was first publicly reported by the vendor.

- 受影响的程序版本

OpenBSD OpenBSD 3.4
OpenBSD OpenBSD 3.3
OpenBSD OpenBSD -current

- 漏洞讨论

OpenBSD is prone to a vulnerability that would allow an attacker to cause the isakmpd daemon to crash, denying service to legitimate users. This issue is due to a failure of the process to handle ISAKMP packets with malformed CERT request payloads.

This issue was previously reported in OpenBSD isakmpd Multiple Unspecified Remote Denial Of Service Vulnerabilities (BID 9907). That BID will be retired.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

The vendor has supplied patches to address these issue:


OpenBSD OpenBSD 3.4

OpenBSD OpenBSD 3.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站