Racoon IKE Daemon Unauthorized X.509 Certificate Connection Vulnerability
BID:10072
Info
Racoon IKE Daemon Unauthorized X.509 Certificate Connection Vulnerability
| Bugtraq ID: | 10072 |
| Class: | Access Validation Error |
| CVE: |
CVE-2004-0155 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 07 2004 12:00AM |
| Updated: | Feb 20 2007 04:56PM |
| Credit: | Discovery is credited to Ralf Spenneberg. |
| Vulnerable: |
SGI ProPack 3.0 SCO Unixware 7.1.4 Redhat Fedora Core2 Redhat Fedora Core1 KAME Racoon 20030711 KAME Racoon IPsec-Tools IPsec-Tools 0.3 rc4 IPsec-Tools IPsec-Tools 0.3 rc3 IPsec-Tools IPsec-Tools 0.3 rc2 IPsec-Tools IPsec-Tools 0.3 rc1 IPsec-Tools IPsec-Tools 0.2.4 IPsec-Tools IPsec-Tools 0.2.3 IPsec-Tools IPsec-Tools 0.2.2 IPsec-Tools IPsec-Tools 0.2.1 IPsec-Tools IPsec-Tools 0.2 IPsec-Tools IPsec-Tools 0.1 Gentoo Linux 1.4 _rc3 Gentoo Linux 1.4 _rc2 Gentoo Linux 1.4 _rc1 Gentoo Linux 1.4 Gentoo Linux 1.2 Gentoo Linux 1.1 a Gentoo Linux 0.7 Gentoo Linux 0.5 Apple Mac OS X Server 10.3.3 Apple Mac OS X Server 10.2.8 Apple Mac OS X 10.3.3 Apple Mac OS X 10.2.8 |
| Not Vulnerable: |
IPsec-Tools IPsec-Tools 0.3 rc5 IPsec-Tools IPsec-Tools 0.2.5 |
Discussion
Racoon IKE Daemon Unauthorized X.509 Certificate Connection Vulnerability
The racoon IKE daemon is prone to a security vulnerability that may allow unauthorized access. This issue may allow holders of valid X.509 certificates to make unauthorized connections to the VPN without being required to have the corresponding private key. Man-in-the-middle attacks are also possible.
This issue affects the racoon daemon included in IPsec-Tools for Linux 2.6 Kernel and the version included in KAME's IPsec utilities.
The racoon IKE daemon is prone to a security vulnerability that may allow unauthorized access. This issue may allow holders of valid X.509 certificates to make unauthorized connections to the VPN without being required to have the corresponding private key. Man-in-the-middle attacks are also possible.
This issue affects the racoon daemon included in IPsec-Tools for Linux 2.6 Kernel and the version included in KAME's IPsec utilities.
Exploit / POC
Racoon IKE Daemon Unauthorized X.509 Certificate Connection Vulnerability
An attacker may exploit this issue using the racoon daemon itself by setting the following configuration option:
certificate_type x509 certificate badprivatekey;
(where 'badprivatekey' equals an arbitrary private key for the certificate)
The attacker can then make an unauthorized connection.
An attacker may exploit this issue using the racoon daemon itself by setting the following configuration option:
certificate_type x509 certificate badprivatekey;
(where 'badprivatekey' equals an arbitrary private key for the certificate)
The attacker can then make an unauthorized connection.
Solution / Fix
Racoon IKE Daemon Unauthorized X.509 Certificate Connection Vulnerability
Solution:
Please see the referenced advisories for more information.
Redhat Fedora Core2
IPsec-Tools IPsec-Tools 0.1
IPsec-Tools IPsec-Tools 0.2
IPsec-Tools IPsec-Tools 0.2.1
IPsec-Tools IPsec-Tools 0.2.2
IPsec-Tools IPsec-Tools 0.2.3
IPsec-Tools IPsec-Tools 0.2.4
IPsec-Tools IPsec-Tools 0.3 rc2
IPsec-Tools IPsec-Tools 0.3 rc4
IPsec-Tools IPsec-Tools 0.3 rc1
IPsec-Tools IPsec-Tools 0.3 rc3
Apple Mac OS X 10.2.8
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.3.3
Apple Mac OS X 10.3.3
SGI ProPack 3.0
SCO Unixware 7.1.4
Solution:
Please see the referenced advisories for more information.
Redhat Fedora Core2
-
RedHat ipsec-tools-0.2.5-4.i386.rpm
Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
RedHat ipsec-tools-0.2.5-4.x86_64.rpm
Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
RedHat ipsec-tools-debuginfo-0.2.5-4.i386.rpm
Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
RedHat ipsec-tools-debuginfo-0.2.5-4.x86_64.rpm
Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
IPsec-Tools IPsec-Tools 0.1
-
IPsec-Tools IPsec-Tools 0.2.5
http://sourceforge.net/project/showfiles.php?group_id=74601&release_id =228873
IPsec-Tools IPsec-Tools 0.2
-
IPsec-Tools IPsec-Tools 0.2.5
http://sourceforge.net/project/showfiles.php?group_id=74601&release_id =228873
IPsec-Tools IPsec-Tools 0.2.1
-
IPsec-Tools IPsec-Tools 0.2.5
http://sourceforge.net/project/showfiles.php?group_id=74601&release_id =228873
IPsec-Tools IPsec-Tools 0.2.2
-
IPsec-Tools IPsec-Tools 0.2.5
http://sourceforge.net/project/showfiles.php?group_id=74601&release_id =228873
IPsec-Tools IPsec-Tools 0.2.3
-
IPsec-Tools IPsec-Tools 0.2.5
http://sourceforge.net/project/showfiles.php?group_id=74601&release_id =228873 -
Mandrake ipsec-tools-0.2.5-0.1.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libipsec-tools0-0.2.5-0.1.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php
IPsec-Tools IPsec-Tools 0.2.4
-
IPsec-Tools IPsec-Tools 0.2.5
http://sourceforge.net/project/showfiles.php?group_id=74601&release_id =228873
IPsec-Tools IPsec-Tools 0.3 rc2
-
IPsec-Tools IPsec-Tools 0.3rc5
http://sourceforge.net/project/showfiles.php?group_id=74601&release_id =228883
IPsec-Tools IPsec-Tools 0.3 rc4
-
IPsec-Tools IPsec-Tools 0.3rc5
http://sourceforge.net/project/showfiles.php?group_id=74601&release_id =228883
IPsec-Tools IPsec-Tools 0.3 rc1
-
IPsec-Tools IPsec-Tools 0.3rc5
http://sourceforge.net/project/showfiles.php?group_id=74601&release_id =228883
IPsec-Tools IPsec-Tools 0.3 rc3
-
IPsec-Tools IPsec-Tools 0.3rc5
http://sourceforge.net/project/showfiles.php?group_id=74601&release_id =228883
Apple Mac OS X 10.2.8
-
Apple SecUpd2004-05-03Jag.dmg
http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z/Sec Upd2004-05-03Jag.dmg -
Apple SecUpd2004-05-03Pan.dmg
http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z/Sec Upd2004-05-03Pan.dmg -
Apple SecUpdSrvr2004-05-03Jag.dmg
http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z/Sec UpdSrvr2004-05-03Jag.dmg -
Apple SecUpdSrvr2004-05-03Pan.dmg
http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z/Sec UpdSrvr2004-05-03Pan.dmg
Apple Mac OS X Server 10.2.8
-
Apple SecUpd2004-05-03Jag.dmg
http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z/Sec Upd2004-05-03Jag.dmg -
Apple SecUpd2004-05-03Pan.dmg
http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z/Sec Upd2004-05-03Pan.dmg -
Apple SecUpdSrvr2004-05-03Jag.dmg
http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z/Sec UpdSrvr2004-05-03Jag.dmg -
Apple SecUpdSrvr2004-05-03Pan.dmg
http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z/Sec UpdSrvr2004-05-03Pan.dmg
Apple Mac OS X Server 10.3.3
-
Apple SecUpd2004-05-03Jag.dmg
http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z/Sec Upd2004-05-03Jag.dmg -
Apple SecUpd2004-05-03Pan.dmg
http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z/Sec Upd2004-05-03Pan.dmg -
Apple SecUpdSrvr2004-05-03Jag.dmg
http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z/Sec UpdSrvr2004-05-03Jag.dmg -
Apple SecUpdSrvr2004-05-03Pan.dmg
http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z/Sec UpdSrvr2004-05-03Pan.dmg
Apple Mac OS X 10.3.3
-
Apple SecUpd2004-05-03Jag.dmg
http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z/Sec Upd2004-05-03Jag.dmg -
Apple SecUpd2004-05-03Pan.dmg
http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z/Sec Upd2004-05-03Pan.dmg -
Apple SecUpdSrvr2004-05-03Jag.dmg
http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z/Sec UpdSrvr2004-05-03Jag.dmg -
Apple SecUpdSrvr2004-05-03Pan.dmg
http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z/Sec UpdSrvr2004-05-03Pan.dmg
SGI ProPack 3.0
-
SGI patch10075.tar.gz
ftp://patches.sgi.com/support/free/security/patches/ProPack/3/
SCO Unixware 7.1.4
-
SCO erg712650.pkg.Z
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.10/erg712650.pkg.Z -
SCO SCOSA-2005.10
UnixWare 7.1.4
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.10
References
Racoon IKE Daemon Unauthorized X.509 Certificate Connection Vulnerability
References:
References:
- IPsec-Tools Homepage (IPsec-Tools)
- RHSA-2004:165-09 - Updated ipsec-tools package fixes vulnerabilities in ISAKMP (RedHat)
- Vendor Homepage (KAME Project)
- CAN-2004-0155: The KAME IKE Daemon Racoon does not verify RSA Signatures during (Ralf Spenneberg
)