diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-05:19.ipsec.asc')
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-05:19.ipsec.asc | 116 |
1 files changed, 0 insertions, 116 deletions
diff --git a/share/security/advisories/FreeBSD-SA-05:19.ipsec.asc b/share/security/advisories/FreeBSD-SA-05:19.ipsec.asc deleted file mode 100644 index 8216481ece..0000000000 --- a/share/security/advisories/FreeBSD-SA-05:19.ipsec.asc +++ /dev/null @@ -1,116 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -============================================================================= -FreeBSD-SA-05:19.ipsec Security Advisory - The FreeBSD Project - -Topic: Incorrect key usage in AES-XCBC-MAC - -Category: core -Module: netinet6 -Announced: 2005-07-27 -Credits: Yukiyo Akisada, Yokogawa Electric Corporation -Affects: FreeBSD 5.3, FreeBSD 5.4 -Corrected: 2005-07-27 08:41:44 UTC (RELENG_6, 6.0-BETA2) - 2005-07-27 08:41:56 UTC (RELENG_5, 5.4-STABLE) - 2005-07-27 08:42:16 UTC (RELENG_5_4, 5.4-RELEASE-p6) - 2005-07-27 08:42:38 UTC (RELENG_5_3, 5.3-RELEASE-p20) -CVE Name: CAN-2005-2359 - -For general information regarding FreeBSD Security Advisories, -including descriptions of the fields above, security branches, and the -following sections, please visit -<URL:http://www.freebsd.org/security/>. - -I. Background - -IPsec is a security protocol for the Internet Protocol networking -layer. It provides a combination of encryption and authentication of -system, using several possible cryptography algorithms. - -II. Problem Description - -A programming error in the implementation of the AES-XCBC-MAC algorithm -for authentication resulted in a constant key being used instead of the -key specified by the system administrator. - -III. Impact - -If the AES-XCBC-MAC algorithm is used for authentication in the absence -of any encryption, then an attacker may be able to forge packets which -appear to originate from a different system and thereby succeed in -establishing an IPsec session. If access to sensitive information or -systems is controlled based on the identity of the source system, this -may result in information disclosure or privilege escalation. - -IV. Workaround - -Do not use the AES-XCBC-MAC algorithm for authentication, or use it -together with some form of IPsec encryption. - -Systems which do not use IPsec, use other algorithms, or have IPsec -encryption enabled are unaffected by this issue. - -V. Solution - -Perform one of the following: - -1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4 or -RELENG_5_3 security branch dated after the correction date. - -2) To patch your present system: - -The following patches have been verified to apply to FreeBSD 5.3 and 5.4 -systems. - -a) Download the relevant patch from the location below, and verify the -detached PGP signature using your PGP utility. - -# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:19/ipsec.patch -# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:19/ipsec.patch.asc - -b) Apply the patch. - -# cd /usr/src -# patch < /path/to/patch - -c) Recompile your kernel as described in -<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the -system. - -VI. Correction details - -The following list contains the revision numbers of each file that was -corrected in FreeBSD. - -Branch Revision - Path -- ------------------------------------------------------------------------- -RELENG_5 - src/sys/netinet6/ah_aesxcbcmac.c 1.1.4.2 -RELENG_5_4 - src/UPDATING 1.342.2.24.2.15 - src/sys/conf/newvers.sh 1.62.2.18.2.11 - src/sys/netinet6/ah_aesxcbcmac.c 1.1.4.1.2.1 -RELENG_5_3 - src/UPDATING 1.342.2.13.2.23 - src/sys/conf/newvers.sh 1.62.2.15.2.25 - src/sys/netinet6/ah_aesxcbcmac.c 1.1.6.1 -RELENG_6 - src/sys/netinet6/ah_aesxcbcmac.c 1.2.2.1 -- ------------------------------------------------------------------------- - -VII. References - -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2359 - -The latest revision of this advisory is available at -ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:19.ipsec.asc ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.1 (FreeBSD) - -iD8DBQFC50oTFdaIBMps37IRAt3IAJ9tqRnoO5+6u/+3Nn8/Cos1cS1/ygCdHmzs -+LPbiS3Bye0Vdvssh7b6vYE= -=v16f ------END PGP SIGNATURE----- |