Анализ сообщений в Dailydave показывает, что не все возможные производители
были оповещены (не были оповещены производители opensource) и в них возможны
подобные проблемы, поэтому имеет с помощью опубликованного все-таки тулкита
() проверить
используемые реализации ISAKMP (нет информации по KAME, используемой в FreeBSD)
и интересно, не проверял ли кто сообщение, что в Microsoft нет проблем ;-)
-----------
Message: 1
Date: Mon, 14 Nov 2005 14:45:45 +0100 (CET)
From: Paul Wouters <paul@xxxxxxxxxxxxx>
Subject: [Dailydave] NISCC's culmination of sitting on an ISAKMP
vulnerability for 4 months
To: dailydave@xxxxxxxxxxxxxxxxxxxxx
Message-ID: <Pine.LNX.4.63.0511141437190.17155@xxxxxxxxxxxxxxxxx>
Content-Type: TEXT/PLAIN; charset=US-ASCII
NISCC's achievement this time:
- do not release vulnerability information to open source vendors prior to
release. Just tell them they cannot have the information for 4 months.
- try to postpone another 3 months, but getting their hands forced by CERT-FI
- do not list vendors impacted in their announcement.
- do not request a CVE.
- give the public absolutely no information on the vulnerability and
whether they are impacted or need to urgently upgrade or not.
I sincerilly hope NISCC's infrastructure somewhere, somehow, depends on a
Linux or BSD machine that will be DOSed by this, and their manager will soon
become their PM.
See how it impacted us:
Morons,
Paul
--------------
[Announce] Openswan response to NISCC Vulnerability Advisory 273756/NISCC/ISAKMP
Paul Wouters paul at xelerance.com
Mon Nov 14 14:30:10 CET 2005
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vendor response of the Openswan project to the following advisory:
NISCC Vulnerability Advisory 273756/NISCC/ISAKMP
CVE number: Unknown. Not requested or disclosed by reporter
Since we did not have prior knowledge of this vulnerability, and have
been given access to the test kit, so far we have only been able to
partially analyse our IPsec implementation.
Versions of openswan-1 are (apparently) not vulnerable to this attack.
Versions of openswan-2 are (apparently) vulnerable to a Denial Of Service
attack in two known cases. One involves a crafted packet using 3DES
with an invalid key length. One other is still unknown to us because no
more information was provided. These two cases cannot be used to obtain
elevated priviledges, since it is not possible to use these bugs to
execute arbitrary code. These attacks are caught within our "assertion
fail" verification code.
Today we have released openswan-2.4.2. This release fixes the 3DES related
Denial Of Service attack.
We *STRONGLY* encourage CERT-FI and/or NISCC to give us access to the
test kit if they are concerned about the second vulnerability and the
impact of this advisory on the wide install base of Openswan-2 if those
systems are left vulnerable to a DOS attack.
Openswan is the defacto IPsec software used on many Linux distributions,
such as RedHat Linux, Fedora Linux, Debian, SuSe / Novell, Mandrake and
many systems including embedded devices.
For further information, please see:
Contact us at: security at xelerance.com
The Openswan team
Xelerance Corp.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iQEVAwUBQ3iQZucYBqa1zCfhAQLO4Af9HiXNS3V/Cy1rNzfN8dn/x/M9WcNH+QQY
ReQE5VCtOu+PBKBQmxwcr34Jxdnd9xOG0BNKANjjdu6AP/B3majrfpJKvZJ4QbND
F3+YfB+1LaCF0YlbeIDIWBjAXyH9X1FQqizdgVNCgW8/AGC6a2a+T1EBfZwoYWHM
AlCcK2o2G2S44LAzlTlPanncjw9SR4JxQ+xiH0OGG4S3NZ5LI/sHrO/eGmRGvl1M
vgs+0faSenda/tnCH7FBhINg8RsYdqiCDtgmA8ntfceEB6qv+C5SziTayaOxGqvl
Isku26XCYmvAXztax8CrylMyj6oEHAUvXayZ5d6aF1vr8t8AYhhpWg==
=q4Ab
-----END PGP SIGNATURE-----
