KAME Racoon IKE Daemon RSA Signature Verification Failure

2004-04-07T07:38:16
ID OSVDB:5008
Type osvdb
Reporter Hans Hacker(), Michal Ludvig(michal@logix.cz), Ralf Spenneberg(ralf@spenneberg.net)
Modified 2004-04-07T07:38:16

Description

Vulnerability Description

Multiple IPSec implementations, including KAME, ipsec-tools, and operating systems that include them contain a flaw that may allow a malicious user to make a successful IPSec connection without proper authorization. The issue is triggered when the attacker possesses any valid and trusted X.509 certificate and the server attempts to use RSA signature authentication. While the server does check the validity of the X.509 certificate, it fails to check the RSA signature of that certificate. It is possible that the flaw may allow unauthorized access, resulting in a loss of confidentiality.

Technical Description

The KAME IKE daemon Racoon and its Linux 2.6 port in ipsec-tools fail to verify the RSA signature during phase one of an IPSec connection, using either main or aggressive mode. The X.509 certificate of the client is verified, but the certificate is not used to verify the client's signature. This could allow remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks, provided that they possess a valid, trusted X.509 certificate. As you can see, the vulnerable code in the eay_rsa_verify() function of crypto_openssl.c reads as follows:

evp = d2i_PUBKEY(NULL, &bp, pubkey->l); if (evp == NULL) return 0;

d2i_PUBKEY always returns NULL, and so the function always exits with the returncode 0 (success). There is no signature verification.

Solution Description

Upgrade to version 1.84 of KAME or a recent CVS tree, version 1.62 of NetBSD, version 4.9-CURRENT of FreeBSD, version 0.2.5 of ipsec-tools, or higher, as these have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Multiple IPSec implementations, including KAME, ipsec-tools, and operating systems that include them contain a flaw that may allow a malicious user to make a successful IPSec connection without proper authorization. The issue is triggered when the attacker possesses any valid and trusted X.509 certificate and the server attempts to use RSA signature authentication. While the server does check the validity of the X.509 certificate, it fails to check the RSA signature of that certificate. It is possible that the flaw may allow unauthorized access, resulting in a loss of confidentiality.

References:

Vendor URL: http://www.kame.net/racoon/ Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:11328 Secunia Advisory ID:14178 Other Advisory URL: http://ipsec-tools.sourceforge.net/x509sig.html Other Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.10/SCOSA-2005.10.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-04/0062.html ISS X-Force ID: 15783 CVE-2004-0155 CIAC Advisory: o-138 CERT VU: 552398 Bugtraq ID: 10072