-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2008-012 ================================= Topic: Denial of service issues in racoon(8) Version: NetBSD-current: affected NetBSD 4.0: affected NetBSD 3.1.*: not affected NetBSD 3.1: not affected NetBSD 3.0.*: not affected NetBSD 3.0: not affected Severity: Denial of service Fixed: NetBSD-current: August 12, 2008 NetBSD-4-0 branch: August 18, 2008 (4.0.1 will include the fix) NetBSD-4 branch: August 18, 2008 (4.1 will include the fix) pkgsrc: ipsec-tools-0.7.1 corrects the issue Abstract ======== Currently racoon(8) does not remove orphaned invalid connections initiated by a remote peer. As a result of this a potential denial of service issue can occur. This vulnerability has been assigned CVE-2008-3652. Technical Details ================= When racoon(8) receives an invalid packet from a peer, it keeps the ph1handle and expects the peer to resend a valid packet. If the peers invalid packet is the first exchange (typically an SA exchange with no valid proposal), the freshly created ph1handle will never be be removed, which is in fact a memory leak. A legitimate peer with invalid configuration, or an attacker, which will send SA exchanges with no valid proposal can create a Denial of Service if it can generate enough ph1handles (racoon will slow down every time it will search for a ph1handle, then may run out of memory). Solutions and Workarounds ========================= Only kernels compiled with the following option are vulnerable to this issue: options IPSEC As a temporary workaround recompile the kernel with the above option commented out. The default NetBSD GENERIC kernels do not have this option enabled. In addition to this the system must be running the racoon(8) daemon which is not enabled by default. An additional workaround can be to add filtering rules to ensure only legitimate peers can send IKE exchanges (port 500/udp). The following instructions describe how to upgrade your ipsec-tools binaries by updating your source tree and rebuilding and installing a new version of ipsec-tools. * NetBSD-current: Systems running NetBSD-current dated from before 2008-08-12 should be upgraded to NetBSD-current dated 2008-08-13 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/dist/ipsec-tools/src/racoon/isakmp.c To update from CVS, re-build, and re-install ipsec-tools: # cd src # cvs update crypto/dist/ipsec-tools/src/racoon/isakmp.c # cd usr.sbin/racoon # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 4.*: Systems running NetBSD 4.* sources dated from before 2008-08-18 should be upgraded from NetBSD 4.* sources dated 2008-08-19 or later. The following files/directories need to be updated from the netbsd-4 or netbsd-4-0 branches: crypto/dist/ipsec-tools To update from CVS, re-build, and re-install ipsec-tools: # cd src # cvs update -r -d -P crypto/dist/ipsec-tools # cd lib/libipsec # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../sbin/setkey # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../usr.sbin/racoon # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Yvan Vanhullebus for the patches and technical feedback on the issue. Revision History ================ 2008-09-15 Initial release 2008-09-15 Clarify abstract and add Thanks To section More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-012.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2008-012.txt,v 1.2 2008/09/15 22:18:43 adrianp Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iQCVAwUBSM7fWz5Ru2/4N2IFAQJoNAQAhfuWhUna+YRVm2cbNJk8tt++zsrs4qmY Zdbku7Q9E65qJj78uH2C9gOg4+19GS/D1wrtLPeuwzuXHN1RZ10N3jkpRLQllk9k +nmi83pzlHQ7yjmknlRP7Mt0chHN1qAy4fqTaIYyNqnuDiznrTkNiO5wawXRWWK7 QWZlP9bbJHY= =4TDJ -----END PGP SIGNATURE-----