__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Internet Key Exchange (IKEv1) Implementation Vulnerabilities [US-CERT Vulnerability Note VU#226364] November 30, 2005 18:00 GMT Number Q-065 [REVISED 06 Dec 2005] [REVISED 16 Dec 2005] [REVISED 11 Jan 2006] [REVISED 12 Jan 2006] [REVISED 06 Feb 2006] [REVISED 25 Apr 2006] ______________________________________________________________________________ PROBLEM: Numerous vulnerabilities have been reported in various Internet Key Exchange version 1 (IKEv1) implementations. IKE is commonly used by IPSec-based VPNs. PLATFORM: See US-CERT Vulnerability Note 226364 for Systems affected. Solaris 9 & 10 Operating Systems Debian GNU/Linux 3.1 (sarge) Red Hat Desktop (v. 3 & 4) Red Hat Enterprise Linux AS, ES, WS (v. 3 & 4) DAMAGE: These vulnerabilities may allow a remote attacker to execute arbitrary code, cause a denial-of-service condition, gain access to sensitive information, or cause an IKEv1 implementation to behave in an unstable/unpredictable manner. In addition, many of these vulnerabilities may be exploited remotely by sending a specially crafted packet to a vulnerable IKEv1 installation. SOLUTION: Apply a patch from an affected product vendor. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Worst case scenario would allow a remote ASSESSMENT: attacker to execute arbitrary code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-065.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/226364 ADDITIONAL LINKS: Cisco Security Advisory Document ID: 68158 http://www.cisco.com/en/US/products/products_security_ advisory09186a0080572f55.shtml Sun Alert ID: 102040 http://www.sunsolve.sun.com/search/document.do?assetkey=1 -26-102040-1&searchclause=%22category:security%22%20% 22availability,%20security%22%20category:security Cisco Security Advisory Document 68158 http://www.cisco.com/en/US/products/products_security_ advisory09186a0080572f55.shtml Debian Security Advisory DSA-965-1 http://www.debian.org/security/2006/dsa-965 Red Hat RHSA-2006:0267-11 https://rhn.redhat.com/errata/RHSA-2006-0267 CVE: CVE-2005-3732 ______________________________________________________________________________ REVISION HISTORY: 12/06/2005 - added a link to Cisco Security Advisory Document 68158 that provides patches for this vulnerability. 12/16/2005 - added a link to Sun Alert ID: 102040 for Solaris 9 & 10 Operating Systems. 01/11/2006 - added a link to Cisco Security Advisory Document 68158, removed "12.3(7)T13" and "12.3(8)T12" from the Cisco IOS table under Software Versions and Fixes. 01/12/2006 - added a link to Cisco Security Advisory Document 68158, Updated the Vulnerable Products section. Updated the Products Confirmed Not Vulnerable section. Add the Additional Details for Cisco Wireless LAN controllers section. Updated the Cisco Bug IDs section. Updated the Software Versions and Fixes section Non-IOS products table. 02/06/2006 - added link to Debian Security Advisory DSA-965 that provides updated packages for ipsec-tools used in "sarge". 04/25/2006 - added a link to Red Hat Security Advisory RHSA-2006:0267-11 for Red Hat Desktop (v. 3 & 4) and Red Hat Enterprise Linux AS, ES, WS (v. 3 & 4). [***** Start US-CERT Vulnerability Note VU#226364 *****] Vulnerability Note VU#226364 Multiple vulnerabilities in Internet Key Exchange version 1 implementations Overview Numerous vulnerabilities have been reported in various Internet Key Exchange version 1 (IKEv1) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause an IKEv1 implementation to behave in an unstable/unpredictable manner. I. Description The U.K. National Infrastructure Security Co-ordination Center (NISCC) and CERT-FI have reported numerous vulnerabilities in IKEv1 implementations. The IKE protocol (RFC 2409) operates within the framework of the Internet Security Association (SA) and Key Management Protocol (ISAKMP, RFC 2408) and provides a way for nodes to authenticate each other and exchange keying material that is used to establish secure network services. IKE is commonly used by IPSec-based VPNs. The IKE negotiation process consists of two phases. Phase 1 establishes an ISAKMP SA. Phase 2 is used to create SAs for other security protocols. These vulnerabilities were discovered using the PROTOS Test Tool developed by Oulu University Secure Programming Group (OUSPG). The results of the tests are described in NISCC Vulnerability Advisory 273756/NISCC/ISAKMP. According to that advisory, many IKEv1 implementations contain buffer overflow, format string, and other unspecified vulnerabilities in phase 1 of IKEv1. Exploitation of these vulnerabilities may allow a remote attacker to compromise a system's security. II. Impact These vulnerabilities may allow a remote attacker to execute arbitrary code, cause a denial-of-service condition, gain access to sensitive information, or cause an IKEv1 implementation to behave in an unstable/unpredictable manner. In addition, many of these vulnerabilities may be exploited remotely by sending a specially crafted packet to a vulnerable IKEv1 installation. III. Solution Apply a patch from an affected product vendor Systems Affected Vendor Status Date Updated 3com, Inc. Unknown 15-Nov-2005 Alcatel Unknown 15-Nov-2005 Apple Computer, Inc. Unknown 15-Nov-2005 AT&T Unknown 15-Nov-2005 Avaya, Inc. Unknown 15-Nov-2005 Avici Systems, Inc. Unknown 15-Nov-2005 Borderware Technologies Unknown 15-Nov-2005 Certicom Unknown 15-Nov-2005 Charlotte's Web Networks Unknown 15-Nov-2005 Check Point Software Technologies Vulnerable 17-Nov-2005 Chiaro Networks, Inc. Unknown 15-Nov-2005 Cisco Systems, Inc. Vulnerable 17-Nov-2005 Computer Associates Unknown 15-Nov-2005 Conectiva Inc. Unknown 15-Nov-2005 Cray Inc. Unknown 15-Nov-2005 D-Link Systems, Inc. Unknown 15-Nov-2005 Data Connection, Ltd. Unknown 15-Nov-2005 Debian GNU/Linux Unknown 15-Nov-2005 EMC, Inc. (formerly Data General Corporation) Unknown 15-Nov-2005 Engarde Secure Linux Unknown 15-Nov-2005 Ericsson Unknown 15-Nov-2005 eSoft, Inc. Unknown 15-Nov-2005 Extreme Networks Unknown 15-Nov-2005 F-Secure Corporation Unknown 15-Nov-2005 F5 Networks, Inc. Unknown 15-Nov-2005 Fedora Project Unknown 15-Nov-2005 Force10 Networks, Inc. Unknown 15-Nov-2005 Fortinet, Inc. Unknown 15-Nov-2005 Foundry Networks, Inc. Unknown 15-Nov-2005 FreeBSD, Inc. Unknown 15-Nov-2005 FreeS/Wan Unknown 15-Nov-2005 Fujitsu Unknown 15-Nov-2005 Gentoo Linux Unknown 15-Nov-2005 Global Technology Associates Unknown 15-Nov-2005 GNU netfilter Unknown 15-Nov-2005 Hewlett-Packard Company Vulnerable 17-Nov-2005 Hitachi Unknown 15-Nov-2005 Hyperchip Unknown 15-Nov-2005 IBM Corporation Unknown 15-Nov-2005 IBM Corporation (zseries) Unknown 15-Nov-2005 IBM eServer Unknown 15-Nov-2005 Immunix Communications, Inc. Unknown 15-Nov-2005 Ingrian Networks, Inc. Unknown 15-Nov-2005 Intel Corporation Unknown 15-Nov-2005 Internet Initiative Japan Unknown 15-Nov-2005 Internet Security Systems, Inc. Unknown 15-Nov-2005 Intoto Not Vulnerable 17-Nov-2005 IP Filter Unknown 15-Nov-2005 Jun-ichiro itojun Hagino Unknown 15-Nov-2005 Juniper Networks, Inc. Unknown 15-Nov-2005 Linksys (A division of Cisco Systems) Unknown 15-Nov-2005 Lucent Technologies Unknown 15-Nov-2005 Luminous Networks Unknown 15-Nov-2005 Mandriva, Inc. Unknown 15-Nov-2005 Microsoft Corporation Not Vulnerable 15-Nov-2005 MontaVista Software, Inc. Unknown 15-Nov-2005 Multinet (owned Process Software Corporation) Unknown 15-Nov-2005 Multitech, Inc. Unknown 15-Nov-2005 NEC Corporation Unknown 15-Nov-2005 NetBSD Unknown 15-Nov-2005 Network Appliance, Inc. Unknown 15-Nov-2005 NextHop Technologies, Inc. Unknown 15-Nov-2005 NIST IPsec Project Unknown 15-Nov-2005 Nortel Networks, Inc. Unknown 15-Nov-2005 Novell, Inc. Unknown 15-Nov-2005 OpenBSD Unknown 15-Nov-2005 OpenBSD IPSec Unknown 15-Nov-2005 Openswan Linux IPsec software Vulnerable 17-Nov-2005 Openwall GNU/*/Linux Unknown 15-Nov-2005 QNX, Software Systems, Inc. Unknown 15-Nov-2005 Red Hat, Inc. Unknown 15-Nov-2005 Redback Networks, Inc. Unknown 15-Nov-2005 Riverstone Networks, Inc. Unknown 15-Nov-2005 SafeNet Unknown 15-Nov-2005 Secure Computing Network Security Division Unknown 15-Nov-2005 Sequent Computer Systems, Inc. Unknown 15-Nov-2005 Silicon Graphics, Inc. Unknown 15-Nov-2005 Slackware Linux Inc. Unknown 15-Nov-2005 Sony Corporation Unknown 15-Nov-2005 SSH Communications IP Security Unknown 15-Nov-2005 Stonesoft Vulnerable 17-Nov-2005 Sun Microsystems, Inc. Vulnerable 17-Nov-2005 SUSE Linux Unknown 15-Nov-2005 Symantec, Inc. Unknown 15-Nov-2005 The SCO Group Unknown 15-Nov-2005 Trustix Secure Linux Unknown 15-Nov-2005 Turbolinux Unknown 15-Nov-2005 Ubuntu Unknown 15-Nov-2005 Unisys Unknown 15-Nov-2005 Watchguard Technologies, Inc. Unknown 15-Nov-2005 Wind River Systems, Inc. Unknown 15-Nov-2005 ZyXEL Unknown 15-Nov-2005 References http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp http://www.ficora.fi/suomi/tietoturva/varoitukset/varoitus-2005-82.htm http://www.auscert.org.au/5748 http://jvn.jp/niscc/NISCC-273756/index.html http://www.niscc.gov.uk/niscc/docs/re-20051114-01014.pdf?lang=en http://secunia.com/advisories/17608/ http://secunia.com/advisories/17621/ http://secunia.com/advisories/17553/ http://secunia.com/advisories/17684/ http://secunia.com/advisories/17668/ http://secunia.com/advisories/17663/ Credit These vulnerabilities were reported by NISCC and CERT-FI This document was written by Jeff Gennari. Other Information Date Public 11/14/2005 Date First Published 11/17/2005 12:31:57 PM Date Last Updated 11/29/2005 CERT Advisory CVE Name Metric 16.54 Document Revision 22 If you have feedback, comments, or additional information about this vulnerability, please send us email. [***** End US-CERT Vulnerability Note VU#226364 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-055: phpsysinfo Q-056: fetchmail -- programming error Q-057: unzip -- race condition Q-058: netpbm-free -- buffer overflows Q-059: Vulnerability in the way Internet Explorer Handles onLoad Events Q-060: Solaris 10 traceroute Vulnerability Q-061: JMX in JRE 5 Untrusted Applet May Elevate Privileges Q-062: Cisco PIX Spoofed TCP SYN Packets Block TCP Connections Q-063: Cisco Security Agent Allows Execution of Arbitrary Code Q-064: Apple Security Update 2005-009