KAME Racoon 畸形消息删除SA漏洞-一一网

漏洞信息详情

KAME Racoon 畸形消息删除SA漏洞

CNNVD编号：CNNVD-200403-048

危害等级：中危
CVE编号：
CVE-2004-0164
漏洞类型：

访问验证错误
发布时间：

2003-07-18
威胁类型：

远程
更新时间：

2005-10-20
厂商：

kame
漏洞来源：
Thomas Walpuski※ t…

漏洞简介

racoon是KAME的IKE守护程序。
racoon存在安全问题，远程攻击者可以利用这个漏洞未授权删除IPsec的SAs。
当racoon接收到包含没有设置ISAKMP安全关联(SAs)的main/aggressive/base模式初始cookie的删除消息，会使攻击者未授权删除所有Ipsec(和ISAKMP)SAs。
同样的使用INITIAL-CONTACT请求消息可不需要Hash负载以删除所有IPsec SAs相关的目的地址。

漏洞公告

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* IIJ SEIL team提供如下补丁方案：

Index: isakmp_inf.c

===================================================================

RCS file: /cvsroot/kame/kame/kame/kame/racoon/isakmp_inf.c,v

retrieving revision 1.82

diff -u -r1.82 isakmp_inf.c

— isakmp_inf.c 13 Nov 2003 02:30:20 -0000 1.82

+++ isakmp_inf.c 14 Jan 2004 09:14:31 -0000

@@ -136,10 +136,81 @@

isakmp = (struct isakmp *)msg->v;

gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp));

– if (isakmp->np == ISAKMP_NPTYPE_HASH)

– np = gen->np;

– else

– np = isakmp->np;

+ if (isakmp->np != ISAKMP_NPTYPE_HASH) {

+ plog(LLV_ERROR, LOCATION, NULL,

+ “ignore information because the message has no hash payload.\n”);

+ goto end;

+ }

+ if (iph1->status != PHASE1ST_ESTABLISHED) {

+ plog(LLV_ERROR, LOCATION, NULL,

+ “ignore information because ISAKMP-SA has not been established yet.\n”);

+ goto end;

+ }

+ np = gen->np;

+ {

+ void *p;

+ vchar_t *hash, *payload;

+ struct isakmp_gen *nd;

+ /*

+ * XXX: gen->len includes isakmp header length

+ */

+ p = (caddr_t) gen + sizeof(struct isakmp_gen);

+ nd = (struct isakmp_gen *) ((caddr_t) gen + gen->len);

+ /* nd length check */

+ if (nd->len > msg->l – (sizeof(struct isakmp) + gen->len)) {

+ plog(LLV_ERROR, LOCATION, NULL,

+ “too long payload length (broken message?)\n”);

+ goto end;

+ }

+ payload = vmalloc(nd->len);

+ if (payload == NULL) {

+ plog(LLV_ERROR, LOCATION, NULL,

+ “cannot allocate memory\n”);

+ goto end;

+ }

+ memcpy(payload->v, (caddr_t) nd, nd->len);

+ /* compute HASH */

+ hash = oakley_compute_hash1(iph1, isakmp->msgid, payload);

+ if (hash == NULL) {

+ plog(LLV_ERROR, LOCATION, NULL,

+ “cannot compute hash\n”);

+ vfree(payload);

+ goto end;

+ }

+ if (gen->len – sizeof(struct isakmp_gen) != hash->l) {

+ plog(LLV_ERROR, LOCATION, NULL,

+ “ignore information due to hash length mismatch\n”);

+ vfree(hash);

+ vfree(payload);

+ goto end;

+ }

+ if (memcmp(p, hash->v, hash->l) != 0) {

+ plog(LLV_ERROR, LOCATION, NULL,

+ “ignore information due to hash mismatch\n”);

+ vfree(hash);

+ vfree(payload);

+ goto end;

+ }

+ plog(LLV_DEBUG, LOCATION, NULL, “hash validated.\n”);

+ vfree(hash);

+ vfree(payload);

+ }

/* make sure the packet were encrypted. */

if (!encrypted) {
厂商补丁：
Thomas Walpuski
—————
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://packages.debian.org/unstable/net/racoon.html” target=”_blank”>
http://packages.debian.org/unstable/net/racoon.html

参考网址

来源: BUGTRAQ
名称: 20040114 Re: unauthorized deletion of IPsec (and ISAKMP) SAs in racoon
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107411758202662&w=2

来源: XF
名称: openbsd-isakmp-initialcontact-delete-sa(14118)
链接:http://xforce.iss.net/xforce/xfdb/14118

来源: XF
名称: openbsd-isakmp-invalidspi-delete-sa(14117)
链接:http://xforce.iss.net/xforce/xfdb/14117

来源: BID
名称: 9417
链接:http://www.securityfocus.com/bid/9417

来源: OVAL
名称: oval:org.mitre.oval:def:9737
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9737

来源: APPLE
名称: APPLE-SA-2004-02-23
链接:http://lists.apple.com/archives/security-announce/2004/Feb/msg00000.html

来源: NETBSD
名称: NetBSD-SA2004-001
链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-001.txt.asc

来源: BID
名称: 9416
链接:http://www.securityfocus.com/bid/9416

来源: BUGTRAQ
名称: 20040113 unauthorized deletion of IPsec (and ISAKMP) SAs in racoon
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107403331309838&w=2

来源: US Government Resource: oval:org.mitre.oval:def:947
名称: oval:org.mitre.oval:def:947
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:947