Gentoo Logo

IPSec Tools: Denial of Service


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200905-03 / ipsec-tools
Release Date May 24, 2009
Latest Revision May 24, 2009: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-firewall/ipsec-tools < 0.7.2 >= 0.7.2 All supported architectures

Related bugreports: #267135


Multiple errors in the IPSec Tools racoon daemon might allow remote attackers to cause a Denial of Service.

2.  Impact Information


The IPSec Tools are a port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation. They include racoon, an Internet Key Exchange daemon for automatically keying IPsec connections.


The following vulnerabilities have been found in the racoon daemon as shipped with IPSec Tools:

  • Neil Kettle reported that racoon/isakmp_frag.c is prone to a null-pointer dereference (CVE-2009-1574).
  • Multiple memory leaks exist in (1) the eay_check_x509sign() function in racoon/crypto_openssl.c and (2) racoon/nattraversal.c (CVE-2009-1632).


A remote attacker could send specially crafted fragmented ISAKMP packets without a payload or exploit vectors related to X.509 certificate authentication and NAT traversal, possibly resulting in a crash of the racoon daemon.

3.  Resolution Information


There is no known workaround at this time.


All IPSec Tools users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-firewall/ipsec-tools-0.7.2"

4.  References


Page updated May 24, 2009

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.