[Announce] Response to hype around NISCC Vulnerability Advisory IPSEC 004033

Paul Wouters paul at xelerance.com
Fri May 13 14:49:01 EDT 2005


This announcement can also be found at http://www.openswan.org/niscc/

Executive Summary: No version of Openswan is vulnerable to NISCC Vulnerability Advisory IPSEC 004033

May 13th, 2005

Last week NISCC contacted us regarding a new vulnerability in the IPsec
protocol. Unfortunately, their message was not encrypted to our current
GPG key, so we could not read their email. While we were still trying to
contact NISCC, they published their NISCC Vulnerability Advisory IPSEC
004033, which has now found its way to journalists everywhere, such as
on News.com and Slashdot whom are all interpreting NISCC's report as
"IPsec has a major security hole". Unfortunately (or rather fortunately),
this interpretation is completely wrong.

What the advisory is basically saying is that IPsec encryption
(specifically ESP in tunnel mode) without authentication is vulnerable
to various attacks. This has always been known. In fact, Openswan does
not allow anyone to create such an IPsec connection. If NISCC had done
a little bit of research, or had spend a little bit more time trying
to contact us, they would have known this was a rather non-issue for
Openswan.

>From openswan-2/programs/pluto/spdb_struct.c:

notification_t parse_ipsec_sa_body(

         [...]
         switch (esp_attrs.auth)
         {
             case AUTH_ALGORITHM_NONE:
                 if (!ah_seen)
                 {
                     DBG(DBG_CONTROL | DBG_CRYPT
                         , DBG_log("ESP from %s must either have AUTH or be combined with AH"
                             , ip_str(&c->spd.that.host_addr)));
                     continue;   /* try another */
                 }
                 break;
         [...]


Openswan-1 contains similar code in openswan-1/pluto/spdb.c


For further information, please contact Xelerance Corporation. For details,
please see: http://www.xelerance.com/contact/


More information about the Announce mailing list