CVE-2004-0607
CVSS10.0
发布时间 :2004-12-06 00:00:00
修订时间 :2016-10-17 22:46:39
NMCOS    

[原文]The eay_check_x509cert function in KAME Racoon successfully verifies certificates even when OpenSSL validation fails, which could allow remote attackers to bypass authentication.


[CNNVD]KAME Racoon IDE Daemon X.509不正确证书验证漏洞(CNNVD-200412-046)

        
        Racoon是KAME的IKE守护程序。
        当协商IPSec连接时Racoon不正确验证X.509证书,远程攻击者可以利用这个漏洞伪造证书访问IPSec VPN。
        racoon使用eay_check_x509cert()验证证书,其中eay_check_x509cert()函数设置了验证回调:
         static int
         cb_check_cert(ok, ctx)
         int ok;
         X509_STORE_CTX *ctx;
         {
         char buf[256];
         int log_tag;
         if (!ok) {
         [..]
         switch (ctx->error) {
         case X509_V_ERR_CERT_HAS_EXPIRED:
         case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
         #if OPENSSL_VERSION_NUMBER >= 0x00905100L
         case X509_V_ERR_INVALID_CA:
         case X509_V_ERR_PATH_LENGTH_EXCEEDED:
         case X509_V_ERR_INVALID_PURPOSE:
         #endif
         ok = 1;
         log_tag = LLV_WARNING;
         break;
         default:
         log_tag = LLV_ERROR;
         }
         [..]
         }
         ERR_clear_error();
         return ok;
         }
        如果OpenSSL由于证书过期,不正确CA签名,自签名或证书链太长等问题产生错误,racoon会忽略这些错误并允许不正确验证使用,并授权访问建立链接。未授权用户可以伪造证书,连接IPSec VPNS。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:ipsec-tools:ipsec-tools:0.3_rc1
cpe:/a:ipsec-tools:ipsec-tools:0.3_rc2
cpe:/o:redhat:enterprise_linux:3.0::enterprise_server
cpe:/a:ipsec-tools:ipsec-tools:0.3_rc5
cpe:/a:ipsec-tools:ipsec-tools:0.3
cpe:/a:ipsec-tools:ipsec-tools:0.3_rc3
cpe:/a:ipsec-tools:ipsec-tools:0.3_rc4
cpe:/o:redhat:enterprise_linux:3.0::advanced_servers
cpe:/a:kame:racoon
cpe:/a:kame:racoon:2004-04-07b
cpe:/a:ipsec-tools:ipsec-tools:0.3.2
cpe:/a:ipsec-tools:ipsec-tools:0.3.1
cpe:/o:redhat:enterprise_linux:3.0::workstation
cpe:/a:kame:racoon:2004-04-05
cpe:/o:redhat:enterprise_linux_desktop:3.0Red Hat Desktop 3.0
cpe:/a:kame:racoon:2003-07-11
cpe:/a:kame:racoon:2004-05-03

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9163The eay_check_x509cert function in KAME Racoon successfully verifies certificates even when OpenSSL validation fails, which could allow remo...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0607
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0607
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-046
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.10/SCOSA-2005.10.txt
(UNKNOWN)  SCO  SCOSA-2005.10
http://marc.info/?l=bugtraq&m=108726102304507&w=2
(UNKNOWN)  BUGTRAQ  20040614 authentication bug in KAME's racoon
http://marc.info/?l=bugtraq&m=108731967126033&w=2
(UNKNOWN)  BUGTRAQ  20040615 Re: authentication bug in KAME's racoon
http://security.gentoo.org/glsa/glsa-200406-17.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200406-17
http://securitytracker.com/id?1010495
(UNKNOWN)  SECTRACK  1010495
http://sourceforge.net/project/shownotes.php?release_id=245982
(UNKNOWN)  CONFIRM  http://sourceforge.net/project/shownotes.php?release_id=245982
http://www.redhat.com/support/errata/RHSA-2004-308.html
(UNKNOWN)  REDHAT  RHSA-2004:308
http://www.securityfocus.com/bid/10546
(VENDOR_ADVISORY)  BID  10546
http://xforce.iss.net/xforce/xfdb/16414
(VENDOR_ADVISORY)  XF  racoon-eaycheckx509cert-auth-bypass(16414)

- 漏洞信息

KAME Racoon IDE Daemon X.509不正确证书验证漏洞
危急 访问验证错误
2004-12-06 00:00:00 2005-10-20 00:00:00
远程  
        
        Racoon是KAME的IKE守护程序。
        当协商IPSec连接时Racoon不正确验证X.509证书,远程攻击者可以利用这个漏洞伪造证书访问IPSec VPN。
        racoon使用eay_check_x509cert()验证证书,其中eay_check_x509cert()函数设置了验证回调:
         static int
         cb_check_cert(ok, ctx)
         int ok;
         X509_STORE_CTX *ctx;
         {
         char buf[256];
         int log_tag;
         if (!ok) {
         [..]
         switch (ctx->error) {
         case X509_V_ERR_CERT_HAS_EXPIRED:
         case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
         #if OPENSSL_VERSION_NUMBER >= 0x00905100L
         case X509_V_ERR_INVALID_CA:
         case X509_V_ERR_PATH_LENGTH_EXCEEDED:
         case X509_V_ERR_INVALID_PURPOSE:
         #endif
         ok = 1;
         log_tag = LLV_WARNING;
         break;
         default:
         log_tag = LLV_ERROR;
         }
         [..]
         }
         ERR_clear_error();
         return ok;
         }
        如果OpenSSL由于证书过期,不正确CA签名,自签名或证书链太长等问题产生错误,racoon会忽略这些错误并允许不正确验证使用,并授权访问建立链接。未授权用户可以伪造证书,连接IPSec VPNS。
        

- 公告与补丁

        厂商补丁:
        IPsec-Tools
        -----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        IPsec-Tools Upgrade ipsec-tools-0.3.3.tar.gz
        
        http://prdownloads.sourceforge.net/ipsec-tools/ipsec-tools-0.3.3.tar.gz?download

- 漏洞信息

7113
KAME Racoon X.509 Invalid Certificate Validation
Remote / Network Access Authentication Management, Cryptographic
Loss of Confidentiality
Vendor Verified

- 漏洞描述

KAME Racoon contains a flaw that may allow a malicious user to use an invalid X509 certificate. The issue is triggered when the "eay_check_x509cert" function is invoked. It is possible that the flaw may allow invalid certificates to be accepted, allowing an attacker to access private resources.

- 时间线

2004-06-14 2004-06-14
Unknow Unknow

- 解决方案

Upgrade to version 20040615 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

KAME Racoon IDE Daemon X.509 Improper Certificate Verification Vulnerability
Access Validation Error 10546
Yes No
2004-06-14 12:00:00 2007-02-16 07:37:00
This issue was reported by Thomas Walpuski <thomas-bugtraq@unproved.org>.

- 受影响的程序版本

SGI Advanced Linux Environment 3.0
SCO Unixware 7.1.4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 3
RedHat Desktop 3.0
Red Hat Enterprise Linux AS 3
KAME Racoon 20040503
KAME Racoon 20040407b
KAME Racoon 20040405
KAME Racoon 20030711
+ FreeBSD FreeBSD 4.9
KAME Racoon
+ FreeBSD FreeBSD 4.9
+ NetBSD NetBSD 1.6.1
+ NetBSD NetBSD 1.6
IPsec-Tools IPsec-Tools 0.3.2
IPsec-Tools IPsec-Tools 0.3.1
IPsec-Tools IPsec-Tools 0.3 rc5
IPsec-Tools IPsec-Tools 0.3 rc4
IPsec-Tools IPsec-Tools 0.3 rc3
IPsec-Tools IPsec-Tools 0.3 rc2
IPsec-Tools IPsec-Tools 0.3 rc1
IPsec-Tools IPsec-Tools 0.3
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.2.8
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.2.8
IPsec-Tools IPsec-Tools 0.3.3
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32

- 不受影响的程序版本

IPsec-Tools IPsec-Tools 0.3.3
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32

- 漏洞讨论

Racoon improperly validates X.509 certificates when negotiating IPSec connections.

When checking certificate validity, Racoon ignores many errors from OpenSSL and grants access to invalid certificates.

When ignoring these errors, Racoon allows improper certificates to be used when authenticating connections.

This vulnerability could allow attackers to forge certificates and potentially gain access to IPSec VPNs. This would also effectively make all certificates permanent.

It is unknown which versions of Racoon are vulnerable at this time.

- 漏洞利用

No exploit is required.

- 解决方案

Reportedly, this issue has been fixed in the Linux port of Racoon distributed with IPsec-tools.

Please see the referenced advisories for more information.


Apple Mac OS X 10.2.8

Apple Mac OS X Server 10.2.8

Apple Mac OS X Server 10.3.4

Apple Mac OS X 10.3.4

Apple Mac OS X Server 10.3.5

Apple Mac OS X 10.3.5

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站