kern/57760: Psec policy on inbound trafic is not enforced (allows spoofing)

Joachim Schueth dl2kcd at m-net.arbornet.org
Wed Oct 8 11:00:34 PDT 2003 

>Number:         57760
>Category:       kern
>Synopsis:       Psec policy on inbound trafic is not enforced (allows spoofing)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 08 11:00:22 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Joachim Schueth <dl2kcd at darc.de>
>Release:        FreeBSD 4.8-RELEASE-p13 i386
>Organization:
>Environment:
System: FreeBSD 4.8-RELEASE-p13 i386

>Description:
A host with an IPsec policy that requires ESP with authentication or AH
on inbound traffic accepts plain IP packets that carry no authentication.
This allows to bypass the IPsec authentication mechanism.

>How-To-Repeat:
The following example uses ESP with authentication, but the effect is
the same with AH.

Configure two hosts running FreeBSD 4.8-RELEASE-p13 with IP addresses
of 192.168.0.26 and 192.168.0.42, respectively (called host26 and host42
below). On host42 (the target host), use the following setkey script:

 flush;
 spdflush;
 add 192.168.0.26 192.168.0.42 esp 0x026042
    -E 3des-cbc  "xxxxxxxxxxxxxxxxxxxxxxxx"
    -A hmac-sha1 "hhhhhhhhhhhhhhhhhhhh";
 add 192.168.0.42 192.168.0.26 esp 0x042026
    -E 3des-cbc  "AAAAAAAAAAAAAAAAAAAAAAAA"
    -A hmac-sha1 "rrrrrrrrrrrrrrrrrrrr";
 spdadd 192.168.0.0/24 192.168.0.0/24 any -P in  ipsec esp/transport//require;
 spdadd 192.168.0.0/24 192.168.0.0/24 any -P out ipsec esp/transport//require;

On host26 (the attacking host), use the same setkey script but omit the
spadd lines. This means that host26 has the correct security associations
to accept the ESP packets of host42, but host26 itself will not use ipsec
on outgoing packets.

Then establish a TCP connection between host26 and host42, e.g. by
connecting host42 from host26 via ftp. The connection succeeds, and
a network dump shows ESP from host42 to host26, but plain TCP packets
in the other direction. These packets are accepted by host42 despite the
-P in .../require policy which is essentially ignored. Thus, an attacker
could inject spoofed packets into an ESP connection simply by omitting
the IPsec elements. The same behaviour is observed when AH is used.

Note that ICMP ping packets are apparently dropped as expected, but not
TCP packets.

>Fix:
This has to be fixed in the kernel. As a workaround, ipfw may be used to
limit non-IPsec traffic.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list