exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Rapid7 Security Advisory 18

Rapid7 Security Advisory 18
Posted Mar 24, 2004
Authored by Rapid7 | Site rapid7.com

Rapid7 Security Advisory - OpenBSD isakmpd payload handling is subject to multiple denial of service vulnerabilities. Known vulnerable: OpenBSD 3.4 and earlier, OpenBSD-current as of March 17, 2004.

tags | advisory, denial of service, vulnerability
systems | openbsd
advisories | CVE-2004-0218, CVE-2004-0219, CVE-2004-0220, CVE-2004-0221, CVE-2004-0222
SHA-256 | 8da0f659cc2f01757fe76a02ef81c99462ce0723e0c7b0c9c6d5be0d74ba2547

Rapid7 Security Advisory 18

Change Mirror Download
Hash: SHA1

Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!

Rapid7 Advisory R7-0018
OpenBSD isakmpd payload handling denial-of-service vulnerabilities

Published: March 23, 2004
Revision: 1.0

CVE: CAN-2004-0218, CAN-2004-0219, CAN-2004-0220, CAN-2004-0221,

1. Affected system(s):

o OpenBSD 3.4 and earlier
o OpenBSD-current as of March 17, 2004

2. Summary

The ISAKMP packet processing functions in OpenBSD's isakmpd
daemon contain multiple payload handling flaws that allow
a remote attacker to launch a denial of service attack
against the daemon.

Carefully crafted ISAKMP packets will cause the isakmpd daemon
to attempt out-of-bounds reads, exhaust available memory, or
loop endlessly (consuming 100% of the CPU).

3. Vendor status and information


OpenBSD has been notified of the issues and they have provided
source code patches to fix the problems for -current, 3.4-stable,
and 3.3-stable. See http://www.openbsd.org/errata.html for
more information.

The isakmpd daemon in the upcoming OpenBSD 3.5 release will be
privilege-separated, which greatly lessens the risk of any
future vulnerabilities that may be found.

4. Solution

Update and rebuild the isakmpd daemon:

cd /usr/src/sbin/isakmpd
cvs update -dP
make clean && make obj && make && sudo make install

You can also apply the appropriate patches from
http://www.openbsd.org/errata.html instead of using CVS.

5. Detailed analysis

To test the security and robustness of IPSEC implementations
from multiple vendors, the security research team at Rapid7
has designed the Striker ISAKMP Protocol Test Suite. Striker
is an ISAKMP packet generation tool that automatically produces
and sends invalid and/or atypical ISAKMP packets.

This advisory is the first in a series of vulnerability
disclosures discovered with the Striker test suite. Striker
will be made available to qualified IPSEC vendors. Please
email advisory@rapid7.com for more information on obtaining

OpenBSD's isakmpd daemon performs insufficient validation on
payload lengths and payload field lengths before attempting to
read the fields. This results in out-of-bounds reads in several

Denial of service by 0-length ISAKMP payload
CVE ID: CAN-2004-0218

An ISAKMP packet with a malformed payload having a self-reported
payload length of zero will cause isakmpd to enter an infinite
loop, parsing the same payload over and over again.

This issue is similar to CAN-2003-0989, which affected TCPDUMP.

Denial of service by various malformed ISAKMP IPSEC SA payload
CVE ID: CAN-2004-0219

An ISAKMP packet with a malformed IPSEC SA payload will
cause isakmpd to read out of bounds and crash.

Denial of service by malformed ISAKMP Cert Request payload
CVE ID: CAN-2004-0220

An ISAKMP packet with a malformed Cert Request payload
will cause an integer underflow, resulting in a failed
malloc of a huge amount of memory.

Denial of service by malformed ISAKMP Delete payload
CVE ID: CAN-2004-0221

An ISAKMP packet with a malformed delete payload having
a large number of SPIs will cause isakmpd to read out of
bounds and crash.

Denial of service by various memory leaks
CVE ID: CAN-2004-0222

Various memory leaks in packet processing can be triggered
by a remote attacker until all available memory is exhausted,
resulting in eventual termination of the daemon.

6. Contact Information

Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (617) 603-0700

7. Disclaimer and Copyright

Rapid7, LLC is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.

This advisory Copyright (C) 2004 Rapid7, LLC. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
Version: GnuPG v1.2.2 (OpenBSD)

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By