FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
Pawel Jakub Dawidek
pjd at FreeBSD.org
Thu Mar 23 11:29:51 UTC 2006
On Thu, Mar 23, 2006 at 11:03:10AM +0200, Dmitry Pryanishnikov wrote:
+>
+> Hello!
+>
+> On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote:
+> >II. Problem Description
+> >
+> >IPsec provides an anti-replay service which when enabled prevents an attacker
+> >from successfully executing a replay attack. This is done through the
+> >verification of sequence numbers. A programming error in the fast_ipsec(4)
+> >implementation results in the sequence number associated with a Security
+> >Association not being updated, allowing packets to unconditionally pass
+> >sequence number verification checks.
+> >
+> >III. Impact
+> >
+> >An attacker able to to intercept IPSec packets can replay them. If higher
+> >level protocols which do not provide any protection against packet replays
+> >(e.g., UDP) are used, this may have a variety of effects.
+>
+> As far as I understood, only systems which use "options FAST_IPSEC" are affected by this issue. Is it true? If so, wouldn't be wise to stress this
+> fact in the advisory?
Yes, only FAST_IPSEC and only ESP (AH is ok).
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060323/25050097/attachment.pgp
More information about the freebsd-security
mailing list