IETF IPSEC Protocol Encapsulating Security Payload Vulnerability
BID:13562
Info
IETF IPSEC Protocol Encapsulating Security Payload Vulnerability
| Bugtraq ID: | 13562 |
| Class: | Design Error |
| CVE: |
CVE-2005-0039 |
| Remote: | Yes |
| Local: | No |
| Published: | May 09 2005 12:00AM |
| Updated: | Jul 12 2009 02:06PM |
| Credit: | These attacks were reported by NISCC. |
| Vulnerable: |
IETF RFC 2406: IPSEC HP Tru64 5.1 B-3 HP Tru64 5.1 B-2 PK4 HP HP-UX B.11.23 HP HP-UX B.11.11 HP HP-UX B.11.00 Hitachi GR2000-BH Hitachi GR2000-2B+ Hitachi GR2000-2B Hitachi GR2000-1B |
| Not Vulnerable: | |
Discussion
IETF IPSEC Protocol Encapsulating Security Payload Vulnerability
A vulnerability affects certain configurations of IPSec.
When IPSec is configured to employ Encapsulating Security Payload (ESP) in tunnel mode with confidentiality only, where Authentication Header (AH) is not being used to provide packet integrity protection, certain attacks against the IPSec protocol are possible.
Reports indicate that these attacks may also potentially be possible against IPSec when AH is in use, but only under certain unspecified configurations.
The reported attacks take advantage of the fact that no ESP packet payload integrity checks exist when ESP is configured in the vulnerable aforementioned manner.
This issue may be leveraged by an attacker to reveal plaintext IP datagrams and potentially sensitive information. Information harvested in this manner may be used to aid in further attacks.
This BID will be updated as further information is made available.
A vulnerability affects certain configurations of IPSec.
When IPSec is configured to employ Encapsulating Security Payload (ESP) in tunnel mode with confidentiality only, where Authentication Header (AH) is not being used to provide packet integrity protection, certain attacks against the IPSec protocol are possible.
Reports indicate that these attacks may also potentially be possible against IPSec when AH is in use, but only under certain unspecified configurations.
The reported attacks take advantage of the fact that no ESP packet payload integrity checks exist when ESP is configured in the vulnerable aforementioned manner.
This issue may be leveraged by an attacker to reveal plaintext IP datagrams and potentially sensitive information. Information harvested in this manner may be used to aid in further attacks.
This BID will be updated as further information is made available.
Exploit / POC
IETF IPSEC Protocol Encapsulating Security Payload Vulnerability
The discoverer of this issue reports that a reliable exploit was created to leverage this issue. This exploit is not believed to be public.
The discoverer of this issue reports that a reliable exploit was created to leverage this issue. This exploit is not believed to be public.
Solution / Fix
IETF IPSEC Protocol Encapsulating Security Payload Vulnerability
Solution:
Hitachi GR2000-B Series routers are affected by this vulnerability. Hitachi has advised affected users to use the AH protocol workaround to mitigate this issue.
HP has released advisory SSRT5957, along with fixes to address this issue. Please see the referenced advisory for further information.
HP has released advisory HPSBUX02079 and fixes to address this issue. Please see the referenced advisory for details.
HP Tru64 5.1 B-2 PK4
HP Tru64 5.1 B-3
Solution:
Hitachi GR2000-B Series routers are affected by this vulnerability. Hitachi has advised affected users to use the AH protocol workaround to mitigate this issue.
HP has released advisory SSRT5957, along with fixes to address this issue. Please see the referenced advisory for further information.
HP has released advisory HPSBUX02079 and fixes to address this issue. Please see the referenced advisory for details.
HP Tru64 5.1 B-2 PK4
-
HP T64KIT0026133-V51BB25-ES-20050801
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT0026 133-V51BB25-ES-20050801
HP Tru64 5.1 B-3
-
HP T64KIT0026161-V51BB26-ES-20050804
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT0026 161-V51BB26-ES-20050804
References
IETF IPSEC Protocol Encapsulating Security Payload Vulnerability
References:
References:
- HPSBUX02079 SSRT5957 - HP-UX IPSec Encapsulating Security Payload (ESP) Tunnel M (HP)
- NISCC Vulnerability Advisory IPSEC - 004033 (NISCC)
- RFC 2406 : IP Encapsulating Security Payload (ESP) (IETF)
- SSRT5957 rev.0 - HP Tru64 UNIX IPSEC Tunnel ESP Mode Remote Unauthorized Disclos (HP)
- Vulnerability Note VU#302220 - IPsec configurations may be vulnerable to informa (US-CERT)
- [security bulletin] SSRT5957 rev.0 - HP Tru64 UNIX IPSEC Tunnel ESP Mode Remote (Security Alert
) - NISCC Vulnerability Advisory IPSEC - 004033 (
)