首页 -> 安全研究
安全研究
安全漏洞
KAME Racoon 畸形消息删除SA漏洞
发布日期:2004-01-13
更新日期:2004-01-24
受影响系统:
Thomas Walpuski racoon 1.60不受影响系统:
Thomas Walpuski racoon 1.61描述:
BUGTRAQ ID: 9416
CVE(CAN) ID: CVE-2004-0164
racoon是KAME的IKE守护程序。
racoon存在安全问题,远程攻击者可以利用这个漏洞未授权删除IPsec的SAs。
当racoon接收到包含没有设置ISAKMP安全关联(SAs)的main/aggressive/base模式初始cookie的删除消息,会使攻击者未授权删除所有Ipsec(和ISAKMP)SAs。
同样的使用INITIAL-CONTACT请求消息可不需要Hash负载以删除所有IPsec SAs相关的目的地址。
<*来源:Thomas Walpuski (thomas@thinknerd.de)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107403331309838&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=107411758202662&w=2
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* IIJ SEIL team提供如下补丁方案:
Index: isakmp_inf.c
===================================================================
RCS file: /cvsroot/kame/kame/kame/kame/racoon/isakmp_inf.c,v
retrieving revision 1.82
diff -u -r1.82 isakmp_inf.c
--- isakmp_inf.c 13 Nov 2003 02:30:20 -0000 1.82
+++ isakmp_inf.c 14 Jan 2004 09:14:31 -0000
@@ -136,10 +136,81 @@
isakmp = (struct isakmp *)msg->v;
gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp));
- if (isakmp->np == ISAKMP_NPTYPE_HASH)
- np = gen->np;
- else
- np = isakmp->np;
+
+ if (isakmp->np != ISAKMP_NPTYPE_HASH) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignore information because the message has no hash payload.\n");
+ goto end;
+ }
+
+ if (iph1->status != PHASE1ST_ESTABLISHED) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignore information because ISAKMP-SA has not been established yet.\n");
+ goto end;
+ }
+
+ np = gen->np;
+
+ {
+ void *p;
+ vchar_t *hash, *payload;
+ struct isakmp_gen *nd;
+
+ /*
+ * XXX: gen->len includes isakmp header length
+ */
+ p = (caddr_t) gen + sizeof(struct isakmp_gen);
+ nd = (struct isakmp_gen *) ((caddr_t) gen + gen->len);
+
+ /* nd length check */
+ if (nd->len > msg->l - (sizeof(struct isakmp) + gen->len)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "too long payload length (broken message?)\n");
+ goto end;
+ }
+
+ payload = vmalloc(nd->len);
+ if (payload == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "cannot allocate memory\n");
+ goto end;
+ }
+
+ memcpy(payload->v, (caddr_t) nd, nd->len);
+
+ /* compute HASH */
+ hash = oakley_compute_hash1(iph1, isakmp->msgid, payload);
+ if (hash == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "cannot compute hash\n");
+
+ vfree(payload);
+ goto end;
+ }
+
+ if (gen->len - sizeof(struct isakmp_gen) != hash->l) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignore information due to hash length mismatch\n");
+
+ vfree(hash);
+ vfree(payload);
+ goto end;
+ }
+
+ if (memcmp(p, hash->v, hash->l) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignore information due to hash mismatch\n");
+
+ vfree(hash);
+ vfree(payload);
+ goto end;
+ }
+
+ plog(LLV_DEBUG, LOCATION, NULL, "hash validated.\n");
+
+ vfree(hash);
+ vfree(payload);
+ }
/* make sure the packet were encrypted. */
if (!encrypted) {
厂商补丁:
Thomas Walpuski
---------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://packages.debian.org/unstable/net/racoon.html
浏览次数:3458
严重程度:0(网友投票)
绿盟科技给您安全的保障