[Openswan Users] FW: NISCC Vulnerability Advisory IPSEC - 004033

Ryley Breiddal RBreiddal at presinet.com
Mon May 9 12:35:13 CEST 2005


Hello everyone,

I received the vulnerability notice below from bugtraq, among other sources.
I was curious if anyone can decipher whether Openswan is exposed to the flaw
in default/normal configurations.  The notice makes reference to "integrity
protection" within ESP (as opposed to via AH).  Would the "integrity
protection" be in using MD5/SHA-1 for ESP?  If so, would that mean that most
Openswan tunnels are not vulnerable?

Thanks,


Ryley Breiddal
PresiNET Systems

albatross at tim.it wrote:
> Abstract: Three attacks that apply to certain configurations of IPsec
> have been identified. These configurations use Encapsulating Security
> Payload (ESP) in tunnel mode with confidentiality only, or with
> integrity protection being provided by a higher layer protocol. Some
> configurations using AH to provide integrity protection are also
> vulnerable.     
> 
> Vendors affected:
> 
> Operating Systems affected:
> 
> Applications/Services affected: IPSEC
> 
> 
> Title
> =====
> NISCC Vulnerability Advisory IPSEC - 004033
> 
> Detail
> ======
> 
> NISCC Vulnerability Advisory 004033/NISCC/IPSEC
> 
> Vulnerability Issues with IPsec Configurations
> 
> Version Information
> - - -------------------
> Advisory Reference  004033/NISCC/IPSEC
> Release Date	    9 May 2005
> Last Revision	    9 May 2005
> Version Number	    1.0
> 
> What is affected?
> - - -----------------
> Potentially any configuration of IPsec that uses Encapsulating
> Security Payload (ESP) in tunnel 
> mode with confidentiality only, or with integrity protection being
> provided by a higher layer 
> protocol. Some configurations using AH to provide integrity
> protection are also vulnerable. 
> 
> Impact
> - - ------
> If exploited, it is possible for an active attacker to obtain the
> plaintext version of the IPsec- 
> protected communications using only moderate effort.
> 
> Severity
> - - --------
> This is rated as high.
> 
> Summary
> - - -------
> IP Security (IPsec) is a set of protocols developed by the Internet
> Engineering Task Force (IETF) 
> to support secure exchange of packets at the IP layer; IPsec has been
> deployed widely to implement 
> Virtual Private Networks (VPNs).
> 
> Three attacks that apply to certain configurations of IPsec have been
> identified. These 
> configurations use Encapsulating Security Payload (ESP) in tunnel
> mode with confidentiality only, 
> or with integrity protection being provided by a higher layer
> protocol. Some configurations using 
> AH to provide integrity protection are also vulnerable. In these
> configurations, an attacker can 
> modify sections of the IPsec packet, causing either the cleartext
> inner packet to be redirected or 
> a network host to generate an error message. In the latter case,
> these errors are relayed via the 
> Internet Control Message Protocol (ICMP); because of the design of
> ICMP, these messages directly 
> reveal segments of the header and payload of the inner datagram in
> cleartext. An attacker who can 
> intercept the ICMP messages can then retrieve plaintext data. The
> attacks have been implemented and 
> 
> demonstrated to work under realistic conditions.
> 
> [Please note that revisions to this advisory will not be notified by
> email. All 
> subscribers are advised to regularly check the UNIRAS website for
> updates to this notice.] 
> 
> Details
> - - -------
> CVE number: CAN-2005-0039
> 
> IPsec consists of several separate protocols; these include:
> 
>     * Authentication Header (AH): provides authenticity guarantees
> for packets, by attaching strong 
> 
>       cryptographic checksum to packets.
> 
>     * Encapsulating Security Payload (ESP): provides confidentiality
>       guarantees for packets, by encrypting packets with encryption
> algorithms. ESP also provides optional authentication 
> services
>       for packets.
> 
>     * Internet Key Exchange (IKE): provide ways to securely negotiate
> shared keys. 
> 
> AH and ESP has two modes of use: transport mode and tunnel mode. With
> ESP in tunnel mode, an IP 
> packet (called the inner packet) is encrypted in its entirety and is
> used to form the payload of 
> a new packet (called the outer packet); ESP typically uses CBC-mode
> encryption to provide 
> confidentiality. However, without some form of integrity protection,
> CBC-mode encrypted 
> data is vulnerable to modification by an active attacker.
> 
> By making careful modifications to selected portions of the payload
> of the outer packet, an 
> attacker can effect controlled changes to the header of the inner
> (encrypted) packet. The modified 
> inner packet is subsequently processed by the IP software on the
> receiving security gateway or the 
> endpoint host; the inner packet, in cleartext form, may be redirected
> or certain error messages 
> may be produced and communicated by ICMP. Because of the design of
> ICMP, these messages directly 
> reveal cleartext segments of the header and payload of the inner
> packet. If these messages can be 
> intercepted by an attacker, then plaintext data is revealed.
> 
> Attacks exploiting these vulnerabilities rely on the following:
> 
>     * Exploitation of the well-known bit flipping weakness of CBC
> mode encryption. 
> 
>     * Lack of integrity protection for inner packets.
> 
>     * Interaction between IPsec processing and IP processing on
> security gateways and end hosts. 
> 
> 
> These attacks can be fully automated so as to recover the entire
> contents of multiple 
> IPsec-protected inner packets.
> 
> In more detail, the three identified attacks on ESP in tunnel mode
> when integrity protection is not 
> 
> present work as follows:
> 
> 1. Destination Address Rewriting
> 
>     * An attacker modifies the destination IP address of the
>       encrypted (inner) packet by bit- flipping in the payload of the
> outer packet. 
>     * The security gateway decrypts the outer payload to recover the
> (modified) inner packet. 
>     * The gateway then routes the inner packet according to its
> (modified) destination IP address. 
>     * If successful, the "plaintext" inner datagram arrives at a host
> of the attacker's choice. 
> 
> 2. IP Options
> 
>     * An attacker modifies the header length of the encrypted (inner)
> packet by bit-flipping in the 
> 
>       payload of the outer packet.
>     * The security gateway decrypts the outer payload to recover the
> (modified) inner packet. 
>     * The gateway then performs IP options processing on the inner
>       packet because of the modified header length, with the first
>     part of the inner payload being interpreted as options bytes. *
> With some probability, options processing will result in the
> generation of an ICMP "parameter  
> 
>       problem" message.
>     * The ICMP message is routed to the now modified source address
> of the inner packet. 
>     * An attacker intercepts the ICMP message and retrieves the
>       "plaintext" payload of the inner packet.
> 
> 3. Protocol Field
> 
>     * An attacker modifies the protocol field and source address
>       field of the encrypted (inner) packet by bit-flipping in the
> payload of the outer packet. 
>     * The security gateway decrypts the outer payload to recover the
> (modified) inner packet. 
>     * The gateway forwards the inner packet to the intended recipient.
>     * The intended recipient inspects the protocol field of the inner
>       packet and generates an ICMP "protocol unreachable" message.
>     * The ICMP message is routed to the now modified source address
> of the inner packet. 
>     * An attacker intercepts the ICMP message and retrieves the
>       "plaintext" payload of the inner packet.
> 
> The attacks are probabilistic in nature and may need to be iterated
> many times in a first phase in 
> order to be successful. Once this first phase is complete, the
> results can be reused to efficiently 
> recover the contents of further inner packets.
> 
> Naturally, the attacker must be able to intercept traffic passing
> between the security gateways in 
> order to mount the attacks. For the second and third attacks to be
> successful, the attacker must be 
> 
> able intercept the relevant ICMP messages. Variants of these attacks
> in which the destination of 
> the ICMP messages can be controlled by the attacker are also possible.
> 
> Solution
> - - --------
> Any of the following methods can be used to rectify this issue:
> 
> 1. Configure ESP to use both confidentiality and integrity
> protection. This is the recommended 
> solution.
> 
> 2. Use the AH protocol alongside ESP to provide integrity protection.
> However, this must be done 
> carefully: for example, the configuration where AH in transport mode
> is applied end-to-end and 
> tunnelled inside ESP is still vulnerable.
> 
> 3. Remove the error reporting by restricting the generation of ICMP
> messages or by filtering 
> these messages at a firewall or security gateway.
> 
> Vendor Information
> - - ------------------
> A list of vendors affected by this vulnerability is not currently
> available. Please visit the web 
> site in order to check for updates.
> 
> Credits
> - - -------
> The NISCC Vulnerability Team would like to thank all vendors for
> their co-operation with 
> the handling of this vulnerability.
> 
> Contact Information
> - - -------------------
> The NISCC Vulnerability Management Team can be contacted as follows:
> 
> Email	   vulteam at niscc.gov.uk
>            Please quote the advisory reference in the subject line
> 
> Telephone  +44 (0)870 487 0748 Ext 4511
>            Monday - Friday 08:30 - 17:00
> 
> Fax	   +44 (0)870 487 0749
> 
> Post	   Vulnerability Management Team
>            NISCC
>            PO Box 832
>            London
>            SW1P 1BG
> 
> We encourage those who wish to communicate via email to make use of
> our PGP key. This is 
> available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.
> 
> Please note that UK government protectively marked material should
> not be sent to the email 
> address above.
> 
> If you wish to be added to our email distribution list please email
> your request to 
> uniras at niscc.gov.uk.
> 
> What is NISCC?
> - - --------------
> For further information regarding the UK National Infrastructure
> Security Co-ordination Centre, 
> please visit http://www.niscc.gov.uk/.
> 
> Reference to any specific commercial product, process, or service by
> trade name, trademark 
> manufacturer, or otherwise, does not constitute or imply its
> endorsement, recommendation, or 
> favouring by NISCC. The views and opinions of authors expressed
> within this notice shall not 
> be used for advertising or product endorsement purposes.
> 
> Neither shall NISCC accept responsibility for any errors or omissions
> contained within this 
> advisory. In particular, they shall not be liable for any loss or
> damage whatsoever, 
> arising from or in connection with the usage of information contained
> within this notice. 
> 
> C 2005 Crown Copyright
> <End of NISCC Vulnerability Advisory>
> 
> 
> 
> Acknowledgements
> 
> UNIRAS wishes to acknowledge the contributions of NISCC Vulnerability
> Team for the information contained in this Briefing. 
> Updates
> 
> This advisory contains the information released by the original
> author. Some of the information may have changed since it was
> released. If the vulnerability affects you, it may be prudent to
> retrieve the advisory from the canonical site to ensure that you
> receive the most current information concerning that problem.    
> Legal Disclaimer
> 
> Reference to any specific commercial product, process, or service by
> trade name, trademark manufacturer, or otherwise, does not constitute
> or imply its endorsement, recommendation, or favouring by UNIRAS or
> NISCC. The views and opinions of authors expressed within this notice
> shall not be used for advertising or product endorsement purposes.    
> 
> Neither UNIRAS or NISCC shall also accept responsibility for any
> errors or omissions contained within this briefing notice. In
> particular, they shall not be liable for any loss or damage
> whatsoever, arising from or in connection with the usage of
> information contained within this notice.    
> FIRST
> 
> UNIRAS is a member of the Forum of Incident Response and Security
> Teams (FIRST) and has contacts with other international Incident
> Response Teams (IRTs) in order to foster cooperation and coordination
> in incident prevention, to prompt rapid reaction to incidents, and to
> promote information sharing amongst its members and the community at
> large.     






More information about the Users mailing list