{"vuid":"VU#459371","idnumber":"459371","name":"Multiple IPsec implementations do not adequately validate authentication data","keywords":["IPsec","length of auth data","Encapsulating Security Payload","ESP","packet","signed","int","authentication data","integer overflow","unsigned","AH","header","ICV"],"overview":"IPsec implementations from multiple vendors do not adequately validate the authentication data in IPsec packets, exposing vulnerable systems to a denial of service.","clean_desc":"For background: RFC 2401 Security Architecture for the Internet Protocol\nRFC 2402 IP Authentication Header\nRFC 2406 IP Encapsulating Security Payload\nIPsec supports integrity and authentication for IP traffic by including a cryptographic checksum in each IPsec datagram. This authentication data is compared to the Integrity Check Value (ICV) that is calculated by the recipient. If the values match, the datagram is considered valid. BindView RAZOR has reported a vulnerability that exists in KAME (FreeBSD, NetBSD), FreeS/WAN (Linux), and possibly other IPsec implementations. While processing an IPsec datagram, vulnerable implementations do not properly calculate the length of the authentication data field for very small datagrams, resulting in an unsigned integer overflow. The ICV is then calculated for an overly large range of memory, which could cause a kernel panic on vulnerable systems. KAME, FreeBSD, and NetBSD are vulnerable due to the way they handle Encapsulating Security Payload (ESP) datagrams.","impact":"A remote attacker could crash a vulnerable system with a specially crafted IPsec packet. The attacker would need to supply the source and destination IP addresses, the Security Parameters Index (SPI), and a suitably large sequence number. All of this information is transmitted in plain text.","resolution":"Upgrade or Apply a Patch Upgrade or apply a patch as specified by your vendor(s).","workarounds":"Restrict Access When possible, restrict access to IPsec hosts and gateways. Note that this will not prevent attacks, it will only limit the number of potential sources.","sysaffected":"","thanks":"The CERT/CC thanks Todd Sabin of BindView \nRAZOR\n for discovering and reporting this issue.","author":"This document was written by Art Manion.","public":["http://razor.bindview.com/publish/advisories/adv_ipsec.html","http://www.ietf.org/rfc/rfc2401.txt","http://www.ietf.org/rfc/rfc2402.txt","http://www.ietf.org/rfc/rfc2406.txt"],"cveids":["CVE-2002-0666"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-08-15T15:14:35Z","publicdate":"2002-10-17T00:00:00Z","datefirstpublished":"2002-10-17T21:55:11Z","dateupdated":"2003-01-06T21:56:35Z","revision":24,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"1","cam_exploitation":"0","cam_internetinfrastructure":"8","cam_population":"17","cam_impact":"8","cam_easeofexploitation":"14","cam_attackeraccessrequired":"16","cam_scorecurrent":"5.1408","cam_scorecurrentwidelyknown":"15.9936","cam_scorecurrentwidelyknownexploited":"27.4176","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":5.1408,"vulnote":null}