[Openswan Users] [Announce] Response to hype around NISCC Vulnerability Advisory IPSEC 004033

Jacco de Leeuw jacco2 at dds.nl
Sat May 14 18:55:25 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Paul Wouters wrote:

| Last week NISCC contacted us regarding a new vulnerability in the IPsec
| protocol. Unfortunately, their message was not encrypted to our current
| GPG key, so we could not read their email.

Isn't this a bit odd? What went wrong? Did they use an old key?

| While we were still trying to
| contact NISCC, they published their NISCC Vulnerability Advisory IPSEC
| 004033, which has now found its way to journalists everywhere, such as
| on News.com and Slashdot whom are all interpreting NISCC's report as
| "IPsec has a major security hole". Unfortunately (or rather fortunately),
| this interpretation is completely wrong.

It took me 5 seconds to assess this advisory as bogus. Which vendor
in their right mind would use encryption without message integrity?
Every cryptography textbook warns against this.

I'm not surprised that the list of vendors affected by this vulnerability
is still not available.

(I wouldn't call the Slashdot editors journalists, though :-)

|> From openswan-2/programs/pluto/spdb_struct.c:

Strongswan and FreeS/WAN 2.05 contain the same code in programs/pluto/spdb.c.
AH has been removed from FreeS/WAN 2.06 so the code is slightly different:

~                switch (esp_attrs.auth)
~                {
~                    case AUTH_ALGORITHM_NONE:
~                        {
~                            DBG(DBG_CONTROL | DBG_CRYPT
~                                , DBG_log("ESP from %s must have AUTH"
~                                    , ip_str(&c->spd.that.host_addr)));
~                            continue;   /* try another */
~                        }
~                        break;


Of course I don't speak for the Strongswan and FreeS/WAN teams but I'd say
they are not vulnerable either.

Jacco
- --
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFChh9s0GeQNf03tTcRAlt3AJ9Ue7YR/k3vwNy6A474hkCgFrQJFACfVUEw
kvL7c9dsyldJRhhUbu99kNw=
=P/ih
-----END PGP SIGNATURE-----


More information about the Users mailing list