Gentoo Logo

IPSec Tools: Denial of Service

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200905-03 / ipsec-tools
Release Date May 24, 2009
Latest Revision May 24, 2009: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-firewall/ipsec-tools < 0.7.2 >= 0.7.2 All supported architectures

Related bugreports: #267135

Synopsis

Multiple errors in the IPSec Tools racoon daemon might allow remote attackers to cause a Denial of Service.

2.  Impact Information

Background

The IPSec Tools are a port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation. They include racoon, an Internet Key Exchange daemon for automatically keying IPsec connections.

Description

The following vulnerabilities have been found in the racoon daemon as shipped with IPSec Tools:

  • Neil Kettle reported that racoon/isakmp_frag.c is prone to a null-pointer dereference (CVE-2009-1574).
  • Multiple memory leaks exist in (1) the eay_check_x509sign() function in racoon/crypto_openssl.c and (2) racoon/nattraversal.c (CVE-2009-1632).

Impact

A remote attacker could send specially crafted fragmented ISAKMP packets without a payload or exploit vectors related to X.509 certificate authentication and NAT traversal, possibly resulting in a crash of the racoon daemon.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All IPSec Tools users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-firewall/ipsec-tools-0.7.2"

4.  References

Print

Page updated May 24, 2009

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.