OpenBSD "empty" AH/ESP Packet Remote Denial of Service Vulnerability
BID:1723
Info
OpenBSD "empty" AH/ESP Packet Remote Denial of Service Vulnerability
| Bugtraq ID: | 1723 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 17 2000 12:00AM |
| Updated: | Sep 17 2000 12:00AM |
| Credit: | Reported to OpenBSD developers on September 17, 2000. Posted to Bugtraq by Matthew Franz <[email protected]> on September 25, 2000. |
| Vulnerable: |
OpenBSD OpenBSD 2.7 |
| Not Vulnerable: | |
Discussion
OpenBSD "empty" AH/ESP Packet Remote Denial of Service Vulnerability
IP Protocols are those which lay directly below the IP header, such as TCP, UDP and ICMP. Network drivers know what sub-IP protocol a packet belongs to by the protocol number value in its IP header. The method used to scan for what IP protocols are supported by a remote host, as employed by Nmap 2.54Beta, is trying various protocol numbers in the IP header and sending the IP packets to the target. Whether or not the host scanning recieves an ICMP protocol unreachable or not determines whether the protocol is supported (given that ICMP isn't filtered..). When a scan of this sort is launched against OpenBSD with IPSEC support, the victim host can crash. The reason for this is that OpenBSD can not handle "empty" AH/ESP packets (or what it believes is an AH/ESP packet, based on the protocol number). The end result is typically a kernel panic and denial of service, which can be caused remotely against a vulnerable OpenBSD host by an attacker armed only with nmap. Other BSDs and Linux are reportedly not vulnerable to this problem.
IP Protocols are those which lay directly below the IP header, such as TCP, UDP and ICMP. Network drivers know what sub-IP protocol a packet belongs to by the protocol number value in its IP header. The method used to scan for what IP protocols are supported by a remote host, as employed by Nmap 2.54Beta, is trying various protocol numbers in the IP header and sending the IP packets to the target. Whether or not the host scanning recieves an ICMP protocol unreachable or not determines whether the protocol is supported (given that ICMP isn't filtered..). When a scan of this sort is launched against OpenBSD with IPSEC support, the victim host can crash. The reason for this is that OpenBSD can not handle "empty" AH/ESP packets (or what it believes is an AH/ESP packet, based on the protocol number). The end result is typically a kernel panic and denial of service, which can be caused remotely against a vulnerable OpenBSD host by an attacker armed only with nmap. Other BSDs and Linux are reportedly not vulnerable to this problem.
Exploit / POC
OpenBSD "empty" AH/ESP Packet Remote Denial of Service Vulnerability
Use nmap to scan protocols on the victim host.
Use nmap to scan protocols on the victim host.
Solution / Fix
OpenBSD "empty" AH/ESP Packet Remote Denial of Service Vulnerability
Solution:
A patch has been made available:
OpenBSD OpenBSD 2.7
Solution:
A patch has been made available:
OpenBSD OpenBSD 2.7
-
OpenBSD ipsec.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/024_ipsec.patch
References
OpenBSD "empty" AH/ESP Packet Remote Denial of Service Vulnerability
References:
References:
- OpenBSD Homepage (OpenBSD)