From jo.schueth@web.de  Tue Oct  7 11:03:31 2003
Return-Path: <jo.schueth@web.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3E66D16A4BF
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  7 Oct 2003 11:03:31 -0700 (PDT)
Received: from smtp.web.de (smtp01.web.de [217.72.192.180])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 836BB43FF9
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  7 Oct 2003 11:03:25 -0700 (PDT)
	(envelope-from jo.schueth@web.de)
Received: from dialin-145-254-138-030.arcor-ip.net ([145.254.138.30] helo=web.de)
	by smtp.web.de with asmtp (TLSv1:RC4-SHA:128)
	(WEB.DE 4.99 #448)
	id 1A6wB8-0000kI-00; Tue, 07 Oct 2003 20:03:23 +0200
Message-Id: <3F82FFC8.9020700@web.de>
Date: Tue, 07 Oct 2003 20:02:48 +0200
From: Jo <jo.schueth@web.de>
Sender: jo.schueth@web.de
To: FreeBSD-gnats-submit@freebsd.org
Subject: IPsec policy on inbound trafic is not enforced (allows spoofing)

>Number:         57712
>Category:       kern
>Synopsis:       IPsec policy on inbound trafic is not enforced (allows spoofing)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ceri
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 07 11:10:14 PDT 2003
>Closed-Date:    Wed Oct 08 11:43:49 PDT 2003
>Last-Modified:  Wed Oct 08 11:43:49 PDT 2003
>Originator:     Joachim Schueth
>Release:        
>Organization:
>Environment:
>Description:
  >Submitter-Id:  current-users
  >Originator:    Joachim Schueth <dl2kcd@darc.de>
  >Organization:
  >Confidential:  no
  >Synopsis:  IPsec policy on inbound trafic is not enforced (allows spoofing)
  >Severity:  serious
  >Priority:  medium
  >Category:  kern
  >Class:     sw-bug
  >Release:   FreeBSD 4.8-RELEASE-p13 i386
  >Environment:
 System: FreeBSD 4.8-RELEASE-p13 i386
 
  >Description:
 A host with an IPsec policy that requires ESP with authentication or AH
 on inbound traffic accepts plain IP packets that carry no authentication.
 This allows to bypass the IPsec authentication mechanism.
 
  >How-To-Repeat:
 The following example uses ESP with authentication, but the effect is
 the same with AH.
 
 Configure two hosts running FreeBSD 4.8-RELEASE-p13 with IP addresses
 of 192.168.0.26 and 192.168.0.42, respectively (called host26 and host42
 below). On host42 (the target host), use the following setkey script:
 
   flush;
   spdflush;
   add 192.168.0.26 192.168.0.42 esp 0x026042
      -E 3des-cbc  "xxxxxxxxxxxxxxxxxxxxxxxx"
      -A hmac-sha1 "hhhhhhhhhhhhhhhhhhhh";
   add 192.168.0.42 192.168.0.26 esp 0x042026
      -E 3des-cbc  "AAAAAAAAAAAAAAAAAAAAAAAA"
      -A hmac-sha1 "rrrrrrrrrrrrrrrrrrrr";
   spdadd 192.168.0.0/24 192.168.0.0/24 any -P in  ipsec esp/transport//require;
   spdadd 192.168.0.0/24 192.168.0.0/24 any -P out ipsec esp/transport//require;
 
 On host26 (the attacking host), use the same setkey script but omit the
 spadd lines. This means that host26 has the correct security associations
 to accept the ESP packets of host42, but host26 itself will not use ipsec
 on outgoing packets.
 
 Then establish a TCP connection between host26 and host42, e.g. by
 connecting host42 from host26 via ftp. The connection succeeds, and
 a network dump shows ESP from host42 to host26, but plain TCP packets
 in the other direction. These packets are accepted by host42 despite the
 -P in .../require policy which is essentially ignored. Thus, an attacker
 could inject spoofed packets into an ESP connection simply by omitting
 the IPsec elements. The same behaviour is observed when AH is used.
 
 Note that ICMP ping packets are apparently dropped as expected, but not
 TCP packets.
 
  >Fix:
 This has to be fixed in the kernel. As a workaround, ipfw may be used to
 limit non-IPsec traffic.
 
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ceri 
State-Changed-When: Wed Oct 8 11:42:48 PDT 2003 
State-Changed-Why:  
This misfiled PR is a duplicate of kern/57760. 


Responsible-Changed-From-To: gnats-admin->ceri 
Responsible-Changed-By: ceri 
Responsible-Changed-When: Wed Oct 8 11:42:48 PDT 2003 
Responsible-Changed-Why:  

Take from gnats-admin. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57712 
>Unformatted:
