Date: 07 Apr 2004 18:54:30 +0200 From: Ralf Spenneberg <ralf@spenneberg.net> To: Bugtraq <bugtraq@securityfocus.com> Subject: CAN-2004-0155: The KAME IKE Daemon Racoon does not verify RSA Signatures during Phase 1, allows man-in-the-middle attacks and unauthorized connections
Security Advisory: The KAME IKE Daemon Racoon does not verify RSA Signatures during Phase 1, allows man-in-the-middle attacks and unauthorized connections Author: Ralf Spenneberg <ralf@spenneberg.net> Revision: 1 Last Updated: April 07, 2004 18:00 CAN-2004-0155 Summary: The KAME IKE Daemon racoon authenticates the peer in Phase 1 using either preshared keys, RSA signatures or GSS-API. When RSA signatures are used, racoon validates the X.509 certificate send by the peer but not the RSA signature. If the peer sends a valid and trusted X.509 certificate during Phase 1 any private key can be used to generate the RSA signature. The authentication will still succeed. Impact: Very High: Since racoon is the an often used IKE daemon on the *BSD platform and on the native Linux kernel 2.6 IPsec stack. If the attacker has access to a valid and trusted X.509 certificate he can establish an IPsec connection to racoon or can start a man-in-the-middle attack. Exploit: No exploit code is needed. Racoon itself can be used to exploit this security bug. The important configuration line: certificate_type x509 certificate badprivatekey; If the certificate is valid and trusted by the attacked racoon the attacker can connect using any 'badprivatekey' Vulnerable: Tested: Linux: ipsec-tools <=0.2.4; <=0.3rc4 FreeBSD 4.9 using racoon-20030711 Not-tested but probable looking at the code: All KAME/racoon version published before April 06 2004 I do not have access to the Apple/racoon version, but it is highly probable that this version is vulnerable, too. Technical description: In function eay_rsa_verify() in file crypto_openssl.c: [...] evp = d2i_PUBKEY(NULL, &bp, pubkey->l); if (evp == NULL) return 0; [...] In this context the function d2i_PUBKEY always returns NULL. The function therefore exits with the returncode 0 (success). The actual verification of the signature does not take place. Solution: Upgrade is needed. No workaround is known! The attached patch fixed the problem on Linux using the ipsec-tools package. Updated packages are already available for some distributions: ipsec-tools: http://ipsec-tools.sf.net KAME: Updates are available in their CVS Gentoo: Has already published their Security Advisory Credits: Michal Ludvig Hans Hacker -- Ralf Spenneberg UNIX/Linux Trainer and Consultant, RHCE, RHCX Waldring 34 48565 Steinfurt Germany Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757 Mobil: +49(0)177 567 27 40 Markt+Technik Buch: Intrusion Detection für Linux Server Addison-Wesley Buch: VPN mit Linux IPsec-Howto: http://www.ipsec-howto.org IPsec/PPTP Kernels for Red Hat Linux: http://www.spenneberg.com/.net/.org/.de Honeynet Project Mirror: http://honeynet.spenneberg.org Snort Mirror: http://snort.spenneberg.org