Implementations of IPSec derived from KAME contain a flaw that may allow a malicious user to spoof IPv4 packets through a security gateway and have them appear authenticated. The issue is triggered when the security gateway is configured to require encapsulating service payload (ESP). The gateway fails to check its security policy database. It is possible that the flaw may allow spoofed or non-encapsulated packets through, resulting in a loss of confidentiality and/or integrity.

Affected IPSec implementations fail to perform inbound policy checks against the security policy database on packets which are forwarded in violation of RFC2401, sections 4.4.1 and 5.2.1 (steps 3 and 4). The erroneous code, found in src/sys/netinet/ip_input.c from the call to ip_forward(), would allow an attacker to inject packets that should be disallowed by a properly implemented security policy, but will not allow the attacker to receive packets improperly since the failed check is only inbound.

Upgrade to an appropriate version of the software -- KAME 1.2088 (1.37 for NetBSD, 1.33 for FreeBSD-4, 1.33), NetBSD -current (1.145) and 1.5-stable (1.114.4.8), or FreeBSD -current (1.192) and -stable (1.130.2.35), or higher, as this has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patches and recompiling.

• CVE ID: 2002-0414 (see also: NVD)
• Bugtraq ID: 4224
• ISS X-Force ID: 8416
• Keyword: Encapsulating Security Payload ESP Security Gateway Security Policy Database SG SPD
• Vendor Specific Advisory URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-003.txt.asc http://orange.kame.net/dev/cvsweb.cgi/kame/CHANGELOG
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-03/0019.html

• Greg Troxel - gdtir.bbn.com -
• Bill Chiarchiaro - wjcwork.cleartech.com -