COMMAND

    IPSEC

SYSTEMS AFFECTED

    OpenBSD IPSEC

PROBLEM

    Matthew Franz found following.  The protocol scanning option (-sO)
    in  2.54  Beta  releases  of  nmap  results  in a remote denial of
    service  against  OpenBSD  2.7's  IPSEC  implementation due to its
    inability to handle tiny AH/ESP packets.

    Nmap protocol scans repeatedly  cycle through IP protocol  version
    numbers, attempting to  elicit ICMP Protocol  Unreachable messages
    in order to discover which IP protocols  (ICMP,TCP,UDP,GRE,AH,ESP,
    etc.) are active on the target device.

    The empty AH/ESP packets send OpenBSD 2.7 into debug mode with the
    following results (more or less):

        panic: m_copydata: null mbuf
        
        Stopped at _Debugger+0x4:   leave
        
         _panic(....
         _m_copydata(...
         _ipsec_common_input(...
         _esp4_input(....
         _ipv4_input(....
         _ipintr(...
        
        Bad frame pointer: 0xe3b55e98

    OpenBSD 2.7  was the  only *NIX  IPSEC implementation  found to be
    susceptible to this type  of scan. Matthew tested  Linux FreeS/WAN
    himself, and KAME developers reported that FreeBSD (and he assumes
    NetBSD)  was   *not*  vulnerable.    AIX  and   Solaris  8   IPSEC
    implementations were not tested.

SOLUTION

    This  vulnerability  was  reported  to  OpenBSD  developers  on 17
    September and an advisory  (and patch) was released  the following
    day.  See

        ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/024_ipsec.patch

    for details.