-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2004-001 ================================= Topic: Insufficient packet validation in racoon IKE daemon Version: NetBSD-current: source prior to January 17, 2004 NetBSD 1.6.2: not affected (fixed) NetBSD 1.6.1: affected NetBSD 1.6: affected NetBSD-1.5.*: not affected (does not ship with racoon) pkgsrc: packages prior to racoon-20040116a Severity: IPsec SA/ISAKMP SA may be deleted remotely by malicious third party Fixed: NetBSD-current: January 17, 2004 NetBSD-1.6 branch: February 10, 2004 (1.6.2 includes the fix) pkgsrc: racoon-20040116a corrects this issue Abstract ======== NetBSD ships with the racoon(8) IKE (Internet Key Exchange) daemon. A vulnerability was found in the code for packet validation of "informational exchange" messages. By sending specifically-crafted IKE packets, a malicious party could remove an IPsec SA (those visible via setkey(8)) and/or ISAKMP SA (secret communication channel used for communication between IKE daemons) on the victim node. Exploits for this issue have been circulated publicly. Technical Details ================= http://www.securityfocus.com/archive/1/349756 Solutions and Workarounds ========================= If you are not using IPSec, your system is not affected. If you are not running the racoon(8) IKE daemon, your system is not affected. However, we recomend you upgrade racoon so that you will not experience problems if you enable it later. If you are currently running racoon(8), you need to stop the old instance of racoon(8) and run the new one. The following instructions describe how to upgrade your racoon(8) binaries by updating your source tree and rebuilding and installing a new version of racoon(8). * NetBSD-current: Systems running NetBSD-current dated from before 2004-01-16 should be upgraded to NetBSD-current dated 2004-01-17 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/dist/kame/racoon usr.sbin/racoon To update from CVS, re-build, and re-install racoon: # cd src # cvs update -d -P crypto/dist/kame/racoon usr.sbin/racoon # cd usr.sbin/racoon # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 1.6, 1.6.1: The binary distributions of NetBSD 1.6 and 1.6.1 are vulnerable. * Binary patch: To apply the binary patch, perform the following steps, replacing ARCH with the NetBSD architecture you are running (i.e. i386): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2004-001-racoon/netbsd-1-6/ARCH-racoon.tgz cd / && tar xzvpf /path/to/ARCH-racoon.tgz The tar file will extract a new copy of: /usr/sbin/racoon Then restart racoon: /etc/rc.d/racoon restart * Updating from sources: Systems running NetBSD 1.6 sources dated from before 2004-02-09 should be upgraded from NetBSD 1.6 sources dated 2004-02-10 or later. NetBSD 1.6.2 will include the fix. The following directories need to be updated from the netbsd-1-6 CVS branch: crypto/dist/kame/racoon usr.sbin/racoon To update from CVS, re-build, and re-install racoon: # cd src # cvs update -d -P -r netbsd-1-6 crypto/dist/kame/racoon \ usr.sbin/racoon # cd usr.sbin/racoon # make USETOOLS=no cleandir dependall # make USETOOLS=no install * pkgsrc: If your system has racoon pkgsrc dated before 20040116a, uninstall and upgrade to racoon-20040116a or higher. Thanks To ========= Thomas Walpuski IIJ SEIL team Revision History ================ 2004-02-18 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-001.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2004-001.txt,v 1.11 2004/02/19 13:29:03 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (NetBSD) iQCVAwUBQDU2Rj5Ru2/4N2IFAQF1VQQAso/7NrFiHM4ePxwuYKL6Cgb8IXKtAb0W fWOcMtPGs1vWSKBc80OcT2xLpU0S/CqlcvSLeXyn4cN2tjTSNJpX2jQ2r/0U29TB JXRXu9BQHPYfarYwWe6+KdQRgDKVhLlmqnQsGtlYNyTwUIddl+ZQmFwIoPSnPBcl BaoBeRv4iSA= =5OkL -----END PGP SIGNATURE-----