[Openswan Users] FW: NISCC Vulnerability Advisory IPSEC - 004033
Ludwig Nussel
ludwig.nussel at suse.de
Tue May 10 15:33:20 CEST 2005
mcr at xelerance.com wrote:
> >>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
> >>> Abstract: Three attacks that apply to certain configurations of
> >>> IPsec have been identified. These configurations use
> >>> Encapsulating Security Payload (ESP) in tunnel mode with
> >>> confidentiality only, or with
>
> Paul> All normal configurations should always be using both
> Paul> confidentiality and authentication.
parse_ipsec_sa_body() in spdb.c contains
[...]
switch (esp_attrs.auth)
{
case AUTH_ALGORITHM_NONE:
if (!ah_seen)
{
DBG(DBG_CONTROL | DBG_CRYPT
, DBG_log("ESP from %s must either have AUTH or be combined with AH"
, ip_str(&c->spd.that.host_addr)));
continue; /* try another */
}
break;
[...]
If that does what it looks like (I didn't check the full context)
then it's not possible to use ESP without authentication in
openswan.
> >>> integrity protection being provided by a higher layer
> >>> protocol. Some configurations using AH to provide integrity
> >>> protection are also vulnerable.
>
> Paul> AH is not really used at all. In fact, we recommend people
> Paul> still use ESP (and not AH or ESP NULL) even if they trust the
> Paul> encryption in other layers (eg WEP or WPA), which they should
> Paul> not.
>
> "higher layer" implies "TCP" to me.
>
> Paul> Perhaps Michael can give a more detailed answer,
>
> No, neither NISCC nor CERT have replied to my emails.
> Where is the full text of the advisory?
http://www.kb.cert.org/vuls/id/302220
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
V_/_ http://www.suse.de/
More information about the Users
mailing list