ID CVE-2004-0219 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:29:00
Description
isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a malformed IPSEC SA payload, as demonstrated by the Striker ISAKMP Protocol Test Suite.
{"cert": [{"lastseen": "2019-05-29T20:44:04", "bulletinFamily": "info", "description": "### Overview \n\nA vulnerability exists in the `isakmpd` that could allow a remote attacker to cause a denial of service.\n\n### Description \n\nThe OpenBSD [`isakmpd`](<http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html>) establishes security associations for encrypted and authenticated (IPsec) network traffic. It implements the Internet Security Association and Key Management Protocol [(ISAKMP)](<http://www.ietf.org/rfc/rfc2408.txt>) and Internet Key Exchange [(IKE)](<http://www.ietf.org/rfc/rfc2409.txt>) protocol. The ISAKMP standard specifies:\n\nThe Security Association Payload is used to negotiate security attributes and to indicate the Domain of Interpretation (DOI) and Situation under which the negotiation is taking place. \n \nA flaw exists in the way that `isakmpd` handles ISAKMP packets containing a malformed \"Security Association Payload\". Such malformed packets could cause `isakmpd` to read out of bounds and crash. \n \n--- \n \n### Impact \n\nA remote attacker could cause the `isakmpd` service to crash. Subsequent IPsec-enabled communications may be disrupted as a result. \n \n--- \n \n### Solution \n\n**Apply a patch from the vendor** \n \nPatches have been released to address this issue. Please see the Systems Affected section of this document for more details. \n \n--- \n \n### Vendor Information\n\n785945\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ OpenBSD\n\nUpdated: August 20, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`Several bugs have been found in the ISAKMP daemon which can lead to memory \nleaks and a remote denial of service condition. An attacker can craft \nmalformed payloads that can cause the isakmpd(8) process to stop \nprocessing requests. \n \nThe problem is fixed in -current, 3.4-stable and 3.3-stable. \n \nPatches are available at: \n \n``<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/015_isakmpd2.patch>`` \n``<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/020_isakmpd2.patch>`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23785945 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n[](<>)\n\n### Acknowledgements\n\nThis vulnerability was discovered by Rapid7 using their Striker test suite. \n\nThis document was written by Chad R Dougherty based on information published in Rapid7 Advisory R7-0018 \n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0219](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0219>) \n---|--- \n**Severity Metric:****** | 1.69 \n**Date Public:** | 2004-03-19 \n**Date First Published:** | 2004-08-27 \n**Date Last Updated: ** | 2004-08-27 13:28 UTC \n**Document Revision: ** | 8 \n", "modified": "2004-08-27T13:28:00", "published": "2004-08-27T00:00:00", "id": "VU:785945", "href": "https://www.kb.cert.org/vuls/id/785945", "type": "cert", "title": "isakmpd crashes when handling ISAKMP packets with malformed \"Security Association Payload\"", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "description": "## Vulnerability Description\nOpenBSD contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends a specially-crafted ISAKMP packet containing a malformed IPSEC SA payload, and will result in loss of availability for the service.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, OpenBSD has released a patch to address this vulnerability.\n## Short Description\nOpenBSD contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends a specially-crafted ISAKMP packet containing a malformed IPSEC SA payload, and will result in loss of availability for the service.\n## References:\nVendor URL: http://www.openbsd.org/errata.html\nSecurity Tracker: 1009468\n[Secunia Advisory ID:11156](https://secuniaresearch.flexerasoftware.com/advisories/11156/)\n[Related OSVDB ID: 5700](https://vulners.com/osvdb/OSVDB:5700)\n[Related OSVDB ID: 5701](https://vulners.com/osvdb/OSVDB:5701)\n[Related OSVDB ID: 5699](https://vulners.com/osvdb/OSVDB:5699)\n[Related OSVDB ID: 4336](https://vulners.com/osvdb/OSVDB:4336)\nOther Advisory URL: http://packetstormsecurity.nl/0403-advisories/R7-0018.isakmpd.txt\nOther Advisory URL: http://www.rapid7.com/advisories/R7-0018.html\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=108008530028019&w=2\nKeyword: rapid7,ipsec,vpn\nISS X-Force ID: 15628\n[CVE-2004-0219](https://vulners.com/cve/CVE-2004-0219)\nBugtraq ID: 10029\n", "modified": "2004-03-23T10:17:09", "published": "2004-03-23T10:17:09", "id": "OSVDB:5698", "href": "https://vulners.com/osvdb/OSVDB:5698", "title": "OpenBSD isakmpd IPSEC SA Payload Handling DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:13", "bulletinFamily": "unix", "description": "\nNumerous errors in isakmpd's input packet validation lead to\n\t denial-of-service vulnerabilities. From the Rapid7 advisory:\n\nThe ISAKMP packet processing functions in OpenBSD's\n\t isakmpd daemon contain multiple payload handling flaws\n\t that allow a remote attacker to launch a denial of\n\t service attack against the daemon.\nCarefully crafted ISAKMP packets will cause the isakmpd\n\t daemon to attempt out-of-bounds reads, exhaust available\n\t memory, or loop endlessly (consuming 100% of the CPU).\n\n", "modified": "2004-09-14T00:00:00", "published": "2004-03-17T00:00:00", "id": "B7CB488C-8349-11D8-A41F-0020ED76EF5A", "href": "https://vuxml.freebsd.org/freebsd/b7cb488c-8349-11d8-a41f-0020ed76ef5a.html", "title": "isakmpd payload handling denial-of-service vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-02-21T01:08:40", "bulletinFamily": "scanner", "description": "Numerous errors in isakmpd's input packet validation lead to denial-of-service vulnerabilities. From the Rapid7 advisory :\n\nThe ISAKMP packet processing functions in OpenBSD's isakmpd daemon contain multiple payload handling flaws that allow a remote attacker to launch a denial of service attack against the daemon.\n\nCarefully crafted ISAKMP packets will cause the isakmpd daemon to attempt out-of-bounds reads, exhaust available memory, or loop endlessly (consuming 100% of the CPU).", "modified": "2018-12-19T00:00:00", "id": "FREEBSD_PKG_B7CB488C834911D8A41F0020ED76EF5A.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=19096", "published": "2005-07-13T00:00:00", "title": "FreeBSD : isakmpd payload handling denial-of-service vulnerabilities (b7cb488c-8349-11d8-a41f-0020ed76ef5a)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19096);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/12/19 13:21:17\");\n\n script_cve_id(\"CVE-2004-0218\", \"CVE-2004-0219\", \"CVE-2004-0220\", \"CVE-2004-0221\", \"CVE-2004-0222\");\n\n script_name(english:\"FreeBSD : isakmpd payload handling denial-of-service vulnerabilities (b7cb488c-8349-11d8-a41f-0020ed76ef5a)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Numerous errors in isakmpd's input packet validation lead to\ndenial-of-service vulnerabilities. From the Rapid7 advisory :\n\nThe ISAKMP packet processing functions in OpenBSD's isakmpd daemon\ncontain multiple payload handling flaws that allow a remote attacker\nto launch a denial of service attack against the daemon.\n\nCarefully crafted ISAKMP packets will cause the isakmpd daemon to\nattempt out-of-bounds reads, exhaust available memory, or loop\nendlessly (consuming 100% of the CPU).\"\n );\n # http://www.rapid7.com/advisories/R7-0018.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://help.rapid7.com/?community#/?tags=disclosure\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openbsd.org/errata34.html\"\n );\n # https://vuxml.freebsd.org/freebsd/b7cb488c-8349-11d8-a41f-0020ed76ef5a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3c6c01fb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:isakmpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"isakmpd<=20030903\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:12", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-21T00:00:00", "published": "2008-09-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=52399", "id": "OPENVAS:52399", "title": "FreeBSD Ports: isakmpd", "type": "openvas", "sourceData": "#\n#VID b7cb488c-8349-11d8-a41f-0020ed76ef5a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: isakmpd\n\nCVE-2004-0218\nisakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a\ndenial of service (infinite loop) via an ISAKMP packet with a\nzero-length payload, as demonstrated by the Striker ISAKMP Protocol\nTest Suite.\n\nCVE-2004-0219\nisakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a\ndenial of service (crash) via an ISAKMP packet with a malformed IPSEC\nSA payload, as demonstrated by the Striker ISAKMP Protocol Test Suite.\n\nCVE-2004-0220\nisakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a\ndenial of service via a an ISAKMP packet with a malformed Cert Request\npayload, which causes an integer underflow that is used in a malloc\noperation that is not properly handled, , as demonstrated by the\nStriker ISAKMP Protocol Test Suite.\n\nCVE-2004-0221\nisakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a\ndenial of service (crash) via an ISAKMP packet with a delete payload\ncontaining a large number of SPIs, which triggers an out-of-bounds\nread error, as demonstrated by the Striker ISAKMP Protocol Test Suite.\n\nCVE-2004-0222\nMultiple memory leaks in isakmpd in OpenBSD 3.4 and earlier allow\nremote attackers to cause a denial of service (memory exhaustion) via\ncertain ISAKMP packets, as demonstrated by the Striker ISAKMP Protocol\nTest Suite.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.rapid7.com/advisories/R7-0018.html\nhttp://www.openbsd.org/errata34.html\nhttp://www.vuxml.org/freebsd/b7cb488c-8349-11d8-a41f-0020ed76ef5a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52399);\n script_version(\"$Revision: 4125 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-21 07:39:51 +0200 (Wed, 21 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-0218\", \"CVE-2004-0219\", \"CVE-2004-0220\", \"CVE-2004-0221\", \"CVE-2004-0222\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: isakmpd\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"isakmpd\");\nif(!isnull(bver) && revcomp(a:bver, b:\"20030903\")<=0) {\n txt += 'Package isakmpd version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n_______________________________________________________________________\r\n Rapid7, Inc. Security Advisory\r\n Visit http://www.rapid7.com/ to download NeXpose,\r\n the world's most advanced vulnerability scanner.\r\n Linux and Windows 2000/XP versions are available now!\r\n_______________________________________________________________________\r\n\r\nRapid7 Advisory R7-0018\r\nOpenBSD isakmpd payload handling denial-of-service vulnerabilities\r\n\r\n Published: March 23, 2004\r\n Revision: 1.0\r\n http://www.rapid7.com/advisories/R7-0018.html\r\n\r\n CVE: CAN-2004-0218, CAN-2004-0219, CAN-2004-0220, CAN-2004-0221,\r\n CAN-2004-0222\r\n\r\n1. Affected system(s):\r\n\r\n KNOWN VULNERABLE:\r\n o OpenBSD 3.4 and earlier\r\n o OpenBSD-current as of March 17, 2004\r\n\r\n2. Summary\r\n\r\n The ISAKMP packet processing functions in OpenBSD's isakmpd\r\n daemon contain multiple payload handling flaws that allow\r\n a remote attacker to launch a denial of service attack\r\n against the daemon.\r\n\r\n Carefully crafted ISAKMP packets will cause the isakmpd daemon\r\n to attempt out-of-bounds reads, exhaust available memory, or\r\n loop endlessly (consuming 100% of the CPU).\r\n\r\n3. Vendor status and information\r\n\r\n OpenBSD\r\n http://www.openbsd.org\r\n\r\n OpenBSD has been notified of the issues and they have provided\r\n source code patches to fix the problems for -current, 3.4-stable,\r\n and 3.3-stable. See http://www.openbsd.org/errata.html for\r\n more information.\r\n\r\n The isakmpd daemon in the upcoming OpenBSD 3.5 release will be\r\n privilege-separated, which greatly lessens the risk of any\r\n future vulnerabilities that may be found.\r\n\r\n4. Solution\r\n\r\n Update and rebuild the isakmpd daemon:\r\n\r\n cd /usr/src/sbin/isakmpd\r\n cvs update -dP\r\n make clean && make obj && make && sudo make install\r\n\r\n You can also apply the appropriate patches from\r\n http://www.openbsd.org/errata.html instead of using CVS.\r\n\r\n5. Detailed analysis\r\n\r\n To test the security and robustness of IPSEC implementations\r\n from multiple vendors, the security research team at Rapid7\r\n has designed the Striker ISAKMP Protocol Test Suite. Striker\r\n is an ISAKMP packet generation tool that automatically produces\r\n and sends invalid and/or atypical ISAKMP packets.\r\n\r\n This advisory is the first in a series of vulnerability\r\n disclosures discovered with the Striker test suite. Striker\r\n will be made available to qualified IPSEC vendors. Please\r\n email advisory@rapid7.com for more information on obtaining\r\n Striker.\r\n\r\n OpenBSD's isakmpd daemon performs insufficient validation on\r\n payload lengths and payload field lengths before attempting to\r\n read the fields. This results in out-of-bounds reads in several\r\n cases.\r\n\r\n Denial of service by 0-length ISAKMP payload\r\n CVE ID: CAN-2004-0218\r\n\r\n An ISAKMP packet with a malformed payload having a self-reported\r\n payload length of zero will cause isakmpd to enter an infinite\r\n loop, parsing the same payload over and over again.\r\n\r\n This issue is similar to CAN-2003-0989, which affected TCPDUMP.\r\n\r\n Denial of service by various malformed ISAKMP IPSEC SA payload\r\n CVE ID: CAN-2004-0219\r\n\r\n An ISAKMP packet with a malformed IPSEC SA payload will\r\n cause isakmpd to read out of bounds and crash.\r\n\r\n Denial of service by malformed ISAKMP Cert Request payload\r\n CVE ID: CAN-2004-0220\r\n\r\n An ISAKMP packet with a malformed Cert Request payload\r\n will cause an integer underflow, resulting in a failed\r\n malloc of a huge amount of memory.\r\n\r\n Denial of service by malformed ISAKMP Delete payload\r\n CVE ID: CAN-2004-0221\r\n\r\n An ISAKMP packet with a malformed delete payload having\r\n a large number of SPIs will cause isakmpd to read out of\r\n bounds and crash.\r\n\r\n Denial of service by various memory leaks\r\n CVE ID: CAN-2004-0222\r\n\r\n Various memory leaks in packet processing can be triggered\r\n by a remote attacker until all available memory is exhausted,\r\n resulting in eventual termination of the daemon.\r\n\r\n6. Contact Information\r\n\r\n Rapid7 Security Advisories\r\n Email: advisory@rapid7.com\r\n Web: http://www.rapid7.com/\r\n Phone: +1 (617) 603-0700\r\n\r\n7. Disclaimer and Copyright\r\n\r\n Rapid7, LLC is not responsible for the misuse of the information\r\n provided in our security advisories. These advisories are a service\r\n to the professional security community. There are NO WARRANTIES\r\n with regard to this information. Any application or distribution of\r\n this information constitutes acceptance AS IS, at the user's own\r\n risk. This information is subject to change without notice.\r\n\r\n This advisory Copyright (C) 2004 Rapid7, LLC. Permission is\r\n hereby granted to redistribute this advisory, providing that no\r\n changes are made and that the copyright notices and disclaimers\r\n remain intact.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.2 (OpenBSD)\r\n\r\niD8DBQFAYKLaMiAxz4wsmx8RArx0AJwOnkTk/Ej5JRjezz+Ll2eiPmYpYACfQUyd\r\ngYqp1RZ5ArQEZ9ZRpHlSal4=\r\n=FIVu\r\n-----END PGP SIGNATURE-----", "modified": "2004-03-24T00:00:00", "published": "2004-03-24T00:00:00", "id": "SECURITYVULNS:DOC:5952", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5952", "title": "R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
