Keuningen
22/06/04, 20:33
> Synopsis
> ========
>
> racoon provided as part of IPsec-Tools fails do proper authentication.
>
> Background
> ==========
>
> IPsec-Tools is a port of KAME's implementation of the IPsec utilities.
> It contains a collection of network monitoring tools, including racoon,
> ping, and ping6.
>
> Affected packages
> =================
>
> -------------------------------------------------------------------
> Package / Vulnerable / Unaffected
> -------------------------------------------------------------------
> 1 net-firewall/ipsec-tools < 0.3.3 >= 0.3.3
>
> Description
> ===========
>
> The KAME IKE daemon racoon is used to authenticate peers during Phase 1
> when using either preshared keys, GSS-API, or RSA signatures. When
> using RSA signatures racoon validates the X.509 certificate but not the
> RSA signature.
>
> Impact
> ======
>
> By sending a valid and trusted X.509 certificate and any private key an
> attacker could exploit this vulnerability to perform man-in-the-middle
> attacks and initiate unauthorized connections.
>
> Workaround
> ==========
>
> There is no known workaround at this time. All users are encouraged to
> upgrade to the latest available version.
>
> Resolution
> ==========
>
> All IPsec-Tools users should upgrade to the latest stable version:
>
> # emerge sync
>
> # emerge -pv ">=net-firewall/ipsec-tools-0.3.3"
> # emerge ">=net-firewall/ipsec-tools-0.3.3"
>
> References
> ==========
>
> [ 1 ] IPsec-Tools Advisory
> http://ipsec-tools.sourceforge.net/x509sig.html
>
> Availability
> ============
>
> This GLSA and any updates to it are available for viewing at
> the Gentoo Security Website:
>
> http://security.gentoo.org/glsa/glsa-200406-17.xml
>
> Concerns?
> =========
>
> Security is a primary focus of Gentoo Linux and ensuring the
> confidentiality and security of our users machines is of utmost
> importance to us. Any security concerns should be addressed to
> security@gentoo.org or alternatively, you may file a bug at
> http://bugs.gentoo.org.
>
> License
> =======
>
> Copyright 2004 Gentoo Technologies, Inc; referenced text
> belongs to its owner(s).
>
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike license.
> ========
>
> racoon provided as part of IPsec-Tools fails do proper authentication.
>
> Background
> ==========
>
> IPsec-Tools is a port of KAME's implementation of the IPsec utilities.
> It contains a collection of network monitoring tools, including racoon,
> ping, and ping6.
>
> Affected packages
> =================
>
> -------------------------------------------------------------------
> Package / Vulnerable / Unaffected
> -------------------------------------------------------------------
> 1 net-firewall/ipsec-tools < 0.3.3 >= 0.3.3
>
> Description
> ===========
>
> The KAME IKE daemon racoon is used to authenticate peers during Phase 1
> when using either preshared keys, GSS-API, or RSA signatures. When
> using RSA signatures racoon validates the X.509 certificate but not the
> RSA signature.
>
> Impact
> ======
>
> By sending a valid and trusted X.509 certificate and any private key an
> attacker could exploit this vulnerability to perform man-in-the-middle
> attacks and initiate unauthorized connections.
>
> Workaround
> ==========
>
> There is no known workaround at this time. All users are encouraged to
> upgrade to the latest available version.
>
> Resolution
> ==========
>
> All IPsec-Tools users should upgrade to the latest stable version:
>
> # emerge sync
>
> # emerge -pv ">=net-firewall/ipsec-tools-0.3.3"
> # emerge ">=net-firewall/ipsec-tools-0.3.3"
>
> References
> ==========
>
> [ 1 ] IPsec-Tools Advisory
> http://ipsec-tools.sourceforge.net/x509sig.html
>
> Availability
> ============
>
> This GLSA and any updates to it are available for viewing at
> the Gentoo Security Website:
>
> http://security.gentoo.org/glsa/glsa-200406-17.xml
>
> Concerns?
> =========
>
> Security is a primary focus of Gentoo Linux and ensuring the
> confidentiality and security of our users machines is of utmost
> importance to us. Any security concerns should be addressed to
> security@gentoo.org or alternatively, you may file a bug at
> http://bugs.gentoo.org.
>
> License
> =======
>
> Copyright 2004 Gentoo Technologies, Inc; referenced text
> belongs to its owner(s).
>
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike license.