Home    |    About    |    Download    |    Documentation    |    Support    |    Development
> Search  

Advisory follows

Openswan PROTOS ISAKMP Test Suite DoS attack

Published:
2005-11-14
Revision of advisory:
2005-11-15 1.0 Initial Release
2005-11-18 1.1 Update to reflect second DoS attack fix
Location:
http://www.niscc.gov.uk/niscc/docs/re-20051114-01014.pdf?lang=en
http://www.openswan.org/support/vuln/CVE-2005-3671
Response to NISCC
CVE:
CVE-2005-3671

Discovered by PROTOS ISAKMP Test Suite for IKEv1 and information withheld by NISCC. Reported to the public on 2005-11-14.

The PROTOS ISAKMP Test Suite for IKEv1 contains tests that reproduce this Denial of Service attack by crashing the Openswan IKE daemon.

Affected system(s)

KNOWN VULNERABLE: Systems running any version of Openswan prior to 2.4.4 using Aggressive Mode with PSK, with the attacker having full phase 1 credentials (eg the PSK). Aggressive Mode is disabled per default due various security concerns.
  • openswan 2.x < 2.4.4

DESCRIPTION

The Internet Key Exchange version 1 (IKEv1) implementation in Openswan 2 (openswan-2) allow remote attackers to cause a denial of service via (1) a crafted packet using 3DES with an invalid key length, or (2) unspecified inputs when Aggressive Mode is enabled and the PSK is known, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1.

ANALYSIS

No remote exploitation of this bug is possible, because the IKE daemon dies in a controlled matter using "assertion" code. Only a denial of service attack is possible.
Exploitation in the wild will be limited due to the fact that Openswan would need to be compiled with USE_AGGRESSIVE=true which is disabled by default.
In addition, exploitation occurs after an IKE Phase-1 Security Association (SA) has been established which requires authentication of a shared key, further reducing the impact of this vulnerability.

WORKAROUND

Disable Aggressive Mode, especially in combination with PSK authentication.

DISCLOSURE TIMELINE

2005-08-31  Initial NISCC warning about possible issue without any details
2005-09-01  Vendor response requesting information. No information released by NISCC.
2005-11-14  Public disclosure by NISCC without prior vendor warning
2005-11-14  Initial vendor fix by releasing openswan-2.4.2 which fixes problem (1)
2005-11-18  Second vendor fix by releasing openswan-2.4.4 which fixes problem (2) 

   Xelerance Corporation
   Email:  vuln@xelerance.com
   Web:    http://www.xelerance.com/
   Phone:  +1 905 257 3392

publically disclosed vulnerabilities

Sponsored by:
Xelerance
© 2003-2006 Xelerance Corporation