Ralf Spenneberg
07/04/04, 22:45
--=-HJEpCIs4q/HiBYwgDvsi
Content-Type: multipart/mixed; boundary="=-PW1GAe5WEUFPLe4DeXHb"
--=-PW1GAe5WEUFPLe4DeXHb
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Security Advisory: The KAME IKE Daemon Racoon does not verify RSA
Signatures during Phase 1, allows man-in-the-middle attacks and
unauthorized connections
=
=20
Author: Ralf Spenneberg <ralf@spenneberg.net>
=
=20
Revision: 1
=
=20
Last Updated: April 07, 2004 18:00
=
=20
CAN-2004-0155
=
=20
Summary:
The KAME IKE Daemon racoon authenticates the peer in Phase 1 using
either preshared keys, RSA signatures or GSS-API. When RSA signatures
are used, racoon validates the X.509 certificate send by the peer but
not the RSA signature.
If the peer sends a valid and trusted X.509 certificate during Phase 1
any private key can be used to generate the RSA signature. The
authentication will still
succeed.
=
=20
Impact:
Very High: Since racoon is the an often used IKE daemon on the *BSD
platform and on the native Linux kernel 2.6 IPsec stack.
If the attacker has access to a valid and trusted X.509 certificate he
can establish an IPsec connection to racoon or can start a
man-in-the-middle attack.
=
=20
Exploit:
No exploit code is needed. Racoon itself can be used to exploit this
security bug. The important configuration line:
certificate_type x509 certificate badprivatekey;
If the certificate is valid and trusted by the attacked racoon the
attacker can
connect using any 'badprivatekey'
=
=20
Vulnerable:
Tested:
Linux: ipsec-tools <=3D0.2.4; <=3D0.3rc4
FreeBSD 4.9 using racoon-20030711
Not-tested but probable looking at the code:
All KAME/racoon version published before April 06 2004
I do not have access to the Apple/racoon version, but it is highly
probable that this version is vulnerable, too.
=
=20
Technical description:
In function eay_rsa_verify() in file crypto_openssl.c:
[...]
evp =3D d2i_PUBKEY(NULL, &bp, pubkey->l);
if (evp =3D=3D NULL)
return 0;
[...]
In this context the function d2i_PUBKEY always returns NULL. The
function therefore exits with the returncode 0 (success). The actual
verification of the signature does not take place.
=
=20
Solution:
Upgrade is needed. No workaround is known!
The attached patch fixed the problem on Linux using the ipsec-tools
package.
Updated packages are already available for some distributions:
ipsec-tools: http://ipsec-tools.sf.net
KAME: Updates are available in their CVS
Gentoo: Has already published their Security Advisory
=20
Credits:
Michal Ludvig
Hans Hacker
--=20
Ralf Spenneberg
UNIX/Linux Trainer and Consultant, RHCE, RHCX
Waldring 34 48565 Steinfurt Germany
Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40
=20
Markt+Technik Buch: Intrusion Detection f=FCr Linux Ser=
ver
Addison-Wesley Buch: VPN mit Linux
IPsec-Howto: http://www.ipsec-howto.org
IPsec/PPTP Kernels for Red Hat Linux: http://www.spenneberg.com/.net/.org=
/.de
Honeynet Project Mirror: http://honeynet.spenneberg.org
Snort Mirror: http://snort.spenneberg.org
--=-PW1GAe5WEUFPLe4DeXHb
Content-Disposition: attachment; filename=x509sig.diff.gz
Content-Type: application/x-gzip; name=x509sig.diff.gz
Content-Transfer-Encoding: base64
H4sICIttcUAAA3g1MDlzaWcuZGlmZgCdVH9v2kAM/Tv5FF6rVYHkICEEAmiotEVVNUQRXatVmhSF
cEDULIkuAZVN++6zL/waVSVWFCXc2X72Pb8zYwzMii2CejUTQVX4QZLE1UCs0zzxkpTH WRZVAqVm
mnVm2qzmgOW0nVrbaVbM7Q900zJNVdd1WHB/egIQPgjUaFvNdq1RsRqu3WzZlo1AaFcvL4E1Gi2j
CXrxwQ3ur71gwYMX79UxW1k4j7UsWYqAG4ALAwIu8pIKv1VQvq MDlMmtg6slhvkCypO0ozJlRQsv
h3Q5eeHrjqor/aeRN/raf4YyX6ELYMgkhS8SkHVXtCPrcS3DwpPKr/0fFSmK4PlSxMAsKucP4jGl
SF9ZYR4KZl1y9sJ4lrAuGlgXHaIw8OT/qZ/7nX1QdFJQxON5vqAwfDYVUMUi870VF+Fs/W+1FwV6
iShBIjAH0ejNee4VFo1ySnM4A+0ToFMJ6dYVgDRK5tpg8OT1x+ P7sQGD++vet7v7oQHDx8HAgLMj
qDZ8zn7EZ4YsKMsFFyIRWkmCAxzQpSNdOr5PqJ/KQX6JXqiWZctc1zFqddBd1zWsxrZlBFA0SwQG
pCJc0bE3kWGcq+w4DfnJHBuKDmRUlsaytJa3mmLIyrsYVCee6C 0AieNIi+xAvNiQAl9qUied7zBe
J8sZ2olsQsFDQOpPcWf80EO86wfLG/Vubu6Gt1szqgPN5nYpG9CRyix6P62F3ujxCkvRihZeTFJj
V0BUotpIBtK7yIy0nIezeMpn0O893/SvHm/Rads6TMXOeTwNZyrDpEV+Ki8Lf3GCQfWSuJEzAkeX
zaFWP/0oSgINI0qyXMxamDZp6cq/TXzKVFtshpHFTBesVtt22rX6R6ba4niqmW27VjFbTcd26ubh
VHOaNNTkm+T4mnPkRnZgN0zSlyBrkkDB80aaRk0uNE10Qbmqbs N27T9U9T5Imoy9F10vdpRxr9D3
444g9A9B7IVNGMVxeg/DivXugeS0QCqszQ0t0IvbQBh/Af67Q424BgAA
--=-PW1GAe5WEUFPLe4DeXHb--
--=-HJEpCIs4q/HiBYwgDvsi
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQBAdDJCbQ9NVvVkhHcRAv8dAJ4hZ0T7SrVxzBjsCfLo8I 88kIMBrQCfXZD0
nfiwGNK89uVela3B7+Vw8Uw=
=axJT
-----END PGP SIGNATURE-----
--=-HJEpCIs4q/HiBYwgDvsi--
Content-Type: multipart/mixed; boundary="=-PW1GAe5WEUFPLe4DeXHb"
--=-PW1GAe5WEUFPLe4DeXHb
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Security Advisory: The KAME IKE Daemon Racoon does not verify RSA
Signatures during Phase 1, allows man-in-the-middle attacks and
unauthorized connections
=
=20
Author: Ralf Spenneberg <ralf@spenneberg.net>
=
=20
Revision: 1
=
=20
Last Updated: April 07, 2004 18:00
=
=20
CAN-2004-0155
=
=20
Summary:
The KAME IKE Daemon racoon authenticates the peer in Phase 1 using
either preshared keys, RSA signatures or GSS-API. When RSA signatures
are used, racoon validates the X.509 certificate send by the peer but
not the RSA signature.
If the peer sends a valid and trusted X.509 certificate during Phase 1
any private key can be used to generate the RSA signature. The
authentication will still
succeed.
=
=20
Impact:
Very High: Since racoon is the an often used IKE daemon on the *BSD
platform and on the native Linux kernel 2.6 IPsec stack.
If the attacker has access to a valid and trusted X.509 certificate he
can establish an IPsec connection to racoon or can start a
man-in-the-middle attack.
=
=20
Exploit:
No exploit code is needed. Racoon itself can be used to exploit this
security bug. The important configuration line:
certificate_type x509 certificate badprivatekey;
If the certificate is valid and trusted by the attacked racoon the
attacker can
connect using any 'badprivatekey'
=
=20
Vulnerable:
Tested:
Linux: ipsec-tools <=3D0.2.4; <=3D0.3rc4
FreeBSD 4.9 using racoon-20030711
Not-tested but probable looking at the code:
All KAME/racoon version published before April 06 2004
I do not have access to the Apple/racoon version, but it is highly
probable that this version is vulnerable, too.
=
=20
Technical description:
In function eay_rsa_verify() in file crypto_openssl.c:
[...]
evp =3D d2i_PUBKEY(NULL, &bp, pubkey->l);
if (evp =3D=3D NULL)
return 0;
[...]
In this context the function d2i_PUBKEY always returns NULL. The
function therefore exits with the returncode 0 (success). The actual
verification of the signature does not take place.
=
=20
Solution:
Upgrade is needed. No workaround is known!
The attached patch fixed the problem on Linux using the ipsec-tools
package.
Updated packages are already available for some distributions:
ipsec-tools: http://ipsec-tools.sf.net
KAME: Updates are available in their CVS
Gentoo: Has already published their Security Advisory
=20
Credits:
Michal Ludvig
Hans Hacker
--=20
Ralf Spenneberg
UNIX/Linux Trainer and Consultant, RHCE, RHCX
Waldring 34 48565 Steinfurt Germany
Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40
=20
Markt+Technik Buch: Intrusion Detection f=FCr Linux Ser=
ver
Addison-Wesley Buch: VPN mit Linux
IPsec-Howto: http://www.ipsec-howto.org
IPsec/PPTP Kernels for Red Hat Linux: http://www.spenneberg.com/.net/.org=
/.de
Honeynet Project Mirror: http://honeynet.spenneberg.org
Snort Mirror: http://snort.spenneberg.org
--=-PW1GAe5WEUFPLe4DeXHb
Content-Disposition: attachment; filename=x509sig.diff.gz
Content-Type: application/x-gzip; name=x509sig.diff.gz
Content-Transfer-Encoding: base64
H4sICIttcUAAA3g1MDlzaWcuZGlmZgCdVH9v2kAM/Tv5FF6rVYHkICEEAmiotEVVNUQRXatVmhSF
cEDULIkuAZVN++6zL/waVSVWFCXc2X72Pb8zYwzMii2CejUTQVX4QZLE1UCs0zzxkpTH WRZVAqVm
mnVm2qzmgOW0nVrbaVbM7Q900zJNVdd1WHB/egIQPgjUaFvNdq1RsRqu3WzZlo1AaFcvL4E1Gi2j
CXrxwQ3ur71gwYMX79UxW1k4j7UsWYqAG4ALAwIu8pIKv1VQvq MDlMmtg6slhvkCypO0ozJlRQsv
h3Q5eeHrjqor/aeRN/raf4YyX6ELYMgkhS8SkHVXtCPrcS3DwpPKr/0fFSmK4PlSxMAsKucP4jGl
SF9ZYR4KZl1y9sJ4lrAuGlgXHaIw8OT/qZ/7nX1QdFJQxON5vqAwfDYVUMUi870VF+Fs/W+1FwV6
iShBIjAH0ejNee4VFo1ySnM4A+0ToFMJ6dYVgDRK5tpg8OT1x+ P7sQGD++vet7v7oQHDx8HAgLMj
qDZ8zn7EZ4YsKMsFFyIRWkmCAxzQpSNdOr5PqJ/KQX6JXqiWZctc1zFqddBd1zWsxrZlBFA0SwQG
pCJc0bE3kWGcq+w4DfnJHBuKDmRUlsaytJa3mmLIyrsYVCee6C 0AieNIi+xAvNiQAl9qUied7zBe
J8sZ2olsQsFDQOpPcWf80EO86wfLG/Vubu6Gt1szqgPN5nYpG9CRyix6P62F3ujxCkvRihZeTFJj
V0BUotpIBtK7yIy0nIezeMpn0O893/SvHm/Rads6TMXOeTwNZyrDpEV+Ki8Lf3GCQfWSuJEzAkeX
zaFWP/0oSgINI0qyXMxamDZp6cq/TXzKVFtshpHFTBesVtt22rX6R6ba4niqmW27VjFbTcd26ubh
VHOaNNTkm+T4mnPkRnZgN0zSlyBrkkDB80aaRk0uNE10Qbmqbs N27T9U9T5Imoy9F10vdpRxr9D3
444g9A9B7IVNGMVxeg/DivXugeS0QCqszQ0t0IvbQBh/Af67Q424BgAA
--=-PW1GAe5WEUFPLe4DeXHb--
--=-HJEpCIs4q/HiBYwgDvsi
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQBAdDJCbQ9NVvVkhHcRAv8dAJ4hZ0T7SrVxzBjsCfLo8I 88kIMBrQCfXZD0
nfiwGNK89uVela3B7+Vw8Uw=
=axJT
-----END PGP SIGNATURE-----
--=-HJEpCIs4q/HiBYwgDvsi--