|发布时间 :2004-05-04 00:00:00|
|修订时间 :2017-07-10 21:29:59|
[原文]isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a delete payload containing a large number of SPIs, which triggers an out-of-bounds read error, as demonstrated by the Striker ISAKMP Protocol Test Suite.
- CVSS (基础分值)
- CPE (受影响的平台与产品)
- OVAL (用于检测的技术细节)
(UNKNOWN) BUGTRAQ 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities
(UNKNOWN) CERT-VN VU#524497
(VENDOR_ADVISORY) OPENBSD 20040317 015: RELIABILITY FIX: March 17, 2004
(UNKNOWN) MISC http://www.rapid7.com/advisories/R7-0018.html
(UNKNOWN) BID 9907
(UNKNOWN) SECTRACK 1009468
(UNKNOWN) XF openbsd-isakmp-delete-dos(15630)
|2004-05-04 00:00:00||2005-10-20 00:00:00|
OpenBSD OpenBSD 3.3:
OpenBSD Patch 020_isakmpd2.patch
OpenBSD OpenBSD 3.4:
OpenBSD Patch 015_isakmpd2.patch
- 漏洞信息 (F32945)
|Rapid7 Security Advisory 18 (PacketStormID:F32945)|
|advisory,denial of service,vulnerability|
Rapid7 Security Advisory - OpenBSD isakmpd payload handling is subject to multiple denial of service vulnerabilities. Known vulnerable: OpenBSD 3.4 and earlier, OpenBSD-current as of March 17, 2004.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0018 OpenBSD isakmpd payload handling denial-of-service vulnerabilities Published: March 23, 2004 Revision: 1.0 http://www.rapid7.com/advisories/R7-0018.html CVE: CAN-2004-0218, CAN-2004-0219, CAN-2004-0220, CAN-2004-0221, CAN-2004-0222 1. Affected system(s): KNOWN VULNERABLE: o OpenBSD 3.4 and earlier o OpenBSD-current as of March 17, 2004 2. Summary The ISAKMP packet processing functions in OpenBSD's isakmpd daemon contain multiple payload handling flaws that allow a remote attacker to launch a denial of service attack against the daemon. Carefully crafted ISAKMP packets will cause the isakmpd daemon to attempt out-of-bounds reads, exhaust available memory, or loop endlessly (consuming 100% of the CPU). 3. Vendor status and information OpenBSD http://www.openbsd.org OpenBSD has been notified of the issues and they have provided source code patches to fix the problems for -current, 3.4-stable, and 3.3-stable. See http://www.openbsd.org/errata.html for more information. The isakmpd daemon in the upcoming OpenBSD 3.5 release will be privilege-separated, which greatly lessens the risk of any future vulnerabilities that may be found. 4. Solution Update and rebuild the isakmpd daemon: cd /usr/src/sbin/isakmpd cvs update -dP make clean && make obj && make && sudo make install You can also apply the appropriate patches from http://www.openbsd.org/errata.html instead of using CVS. 5. Detailed analysis To test the security and robustness of IPSEC implementations from multiple vendors, the security research team at Rapid7 has designed the Striker ISAKMP Protocol Test Suite. Striker is an ISAKMP packet generation tool that automatically produces and sends invalid and/or atypical ISAKMP packets. This advisory is the first in a series of vulnerability disclosures discovered with the Striker test suite. Striker will be made available to qualified IPSEC vendors. Please email email@example.com for more information on obtaining Striker. OpenBSD's isakmpd daemon performs insufficient validation on payload lengths and payload field lengths before attempting to read the fields. This results in out-of-bounds reads in several cases. Denial of service by 0-length ISAKMP payload CVE ID: CAN-2004-0218 An ISAKMP packet with a malformed payload having a self-reported payload length of zero will cause isakmpd to enter an infinite loop, parsing the same payload over and over again. This issue is similar to CAN-2003-0989, which affected TCPDUMP. Denial of service by various malformed ISAKMP IPSEC SA payload CVE ID: CAN-2004-0219 An ISAKMP packet with a malformed IPSEC SA payload will cause isakmpd to read out of bounds and crash. Denial of service by malformed ISAKMP Cert Request payload CVE ID: CAN-2004-0220 An ISAKMP packet with a malformed Cert Request payload will cause an integer underflow, resulting in a failed malloc of a huge amount of memory. Denial of service by malformed ISAKMP Delete payload CVE ID: CAN-2004-0221 An ISAKMP packet with a malformed delete payload having a large number of SPIs will cause isakmpd to read out of bounds and crash. Denial of service by various memory leaks CVE ID: CAN-2004-0222 Various memory leaks in packet processing can be triggered by a remote attacker until all available memory is exhausted, resulting in eventual termination of the daemon. 6. Contact Information Rapid7 Security Advisories Email: firstname.lastname@example.org Web: http://www.rapid7.com/ Phone: +1 (617) 603-0700 7. Disclaimer and Copyright Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2004 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (OpenBSD) iD8DBQFAYKLaMiAxz4wsmx8RArx0AJwOnkTk/Ej5JRjezz+Ll2eiPmYpYACfQUyd gYqp1RZ5ArQEZ9ZRpHlSal4= =FIVu -----END PGP SIGNATURE-----
|OpenBSD isakmpd Delete Payload Handling DoS|
|Remote / Network Access||Denial of Service|
|Loss of Availability|
|OpenBSD contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends a specially-crafted ISAKMP packet containing a malformed delete payload with a large number of Security Parameter Indexes (SPI), and will result in loss of availability for the service.|
|Currently, there are no known workarounds or upgrades to correct this issue. However, OpenBSD has released a patch to address this vulnerability.|
|OpenBSD ISAKMPD Delete Payload Denial Of Service Vulnerability|
|Failure to Handle Exceptional Conditions||10031|
|2004-03-17 12:00:00||2009-07-12 04:06:00|
|This issue was first publicly reported by the vendor.|
|OpenBSD OpenBSD 3.4
OpenBSD OpenBSD 3.3
OpenBSD OpenBSD -current
|OpenBSD is prone to a vulnerability that would allow an attacker to cause the isakmpd daemon to crash, denying service to legitimate users. This issue is due to a failure of the process to handle ISAKMP packets with malformed delete payloads.
This issue was previously reported in OpenBSD isakmpd Multiple Unspecified Remote Denial Of Service Vulnerabilities (BID 9907). That BID will be retired.
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: email@example.com <mailto:firstname.lastname@example.org>.
The vendor has supplied patches to address these issue:
OpenBSD OpenBSD 3.4
OpenBSD OpenBSD 3.3