Vulnerabilities > CVE-2004-0403 - Denial of Service vulnerability in KAME Racoon Malformed ISAKMP Packet
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD20040503.NASL description The remote host is missing Security Update 2004-05-03. This security update includes updates for AFP Server, CoreFoundation, and IPSec. It also includes Security Update 2004-04-05, which includes updates for CUPS, libxml2, Mail, and OpenSSL. For Mac OS X 10.2.8, it also includes updates for Apache 1.3, cd9660.util, Classic, CUPS, Directory Services, DiskArbitration, fetchmail, fs_usage, gm4, groff, Mail, OpenSSL, Personal File Sharing, PPP, rsync, Safari, System Configuration, System Initialization, and zlib. This update fixes various issues which may allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 12518 published 2004-07-06 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12518 title Mac OS X Multiple Vulnerabilities (Security Update 2004-05-03) code # # (C) Tenable Network Security, Inc. # # better URL in solution, preserving old: #http://www.apple.com/downloads/macosx/apple/securityupdate__2004-05-03_(10_3_3_Client).html #http://www.apple.com/downloads/macosx/apple/securityupdate_2004-05-03_(10_2_8_Client).html #http://www.apple.com/downloads/macosx/apple/securityupdate_2004-05-03_(10_2_8_Server).html #http://www.apple.com/downloads/macosx/apple/securityupdate.html if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(12518); script_version ("1.17"); script_cve_id( "CVE-2004-0020", "CVE-2004-0113", "CVE-2004-0155", "CVE-2004-0174", "CVE-2004-0392", "CVE-2004-0403", "CVE-2004-0428", "CVE-2004-0430" ); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2004-05-03)"); script_summary(english:"Check for Security Update 2004-05-03"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes a security issue." ); script_set_attribute( attribute:"description", value: "The remote host is missing Security Update 2004-05-03. This security update includes updates for AFP Server, CoreFoundation, and IPSec. It also includes Security Update 2004-04-05, which includes updates for CUPS, libxml2, Mail, and OpenSSL. For Mac OS X 10.2.8, it also includes updates for Apache 1.3, cd9660.util, Classic, CUPS, Directory Services, DiskArbitration, fetchmail, fs_usage, gm4, groff, Mail, OpenSSL, Personal File Sharing, PPP, rsync, Safari, System Configuration, System Initialization, and zlib. This update fixes various issues which may allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT1646" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2004/May/msg00000.html" ); script_set_attribute( attribute:"solution", value:"Install Security Update 2004-05-03." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'AppleFileServer LoginExt PathName Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/06"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/02/24"); script_set_attribute(attribute:"patch_publication_date", value: "2004/05/03"); script_cvs_date("Date: 2018/08/10 18:07:07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); uname = get_kb_item("Host/uname"); os = get_kb_item("Host/MacOSX/Version"); if ( egrep(pattern:"Mac OS X 10\.3.* Server", string:os) ) exit(0); # MacOS X 10.2.8 and 10.3.3 only if ( egrep(pattern:"Darwin.* (6\.8\.|7\.3\.)", string:uname) ) { if ( ! egrep(pattern:"^SecUpd2004-05-03", string:packages) ) security_hole(0); else { set_kb_item(name:"CVE-2004-0174", value:TRUE); set_kb_item(name:"CVE-2003-0020", value:TRUE); set_kb_item(name:"CVE-2004-0079", value:TRUE); set_kb_item(name:"CVE-2004-0081", value:TRUE); set_kb_item(name:"CVE-2004-0112", value:TRUE); } }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-069.NASL description A vulnerability in racoon prior to version 20040408a would allow a remote attacker to cause a DoS (memory consumption) via an ISAKMP packet with a large length field. Another vulnerability in racoon was discovered where, when using RSA signatures, racoon would validate the X.509 certificate but would not validate the signature. This can be exploited by an attacker sending a valid and trusted X.509 certificate and any private key. Using this, they could perform a man-in-the-middle attack and initiate an unauthorized connection. This has been fixed in ipsec-tools 0.3.3. The updated packages contain patches backported from 0.3.3 to correct the problem. last seen 2020-06-01 modified 2020-06-02 plugin id 14168 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14168 title Mandrake Linux Security Advisory : ipsec-tools (MDKSA-2004:069) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2004:069. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14168); script_version ("1.19"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-0155", "CVE-2004-0403"); script_xref(name:"MDKSA", value:"2004:069"); script_name(english:"Mandrake Linux Security Advisory : ipsec-tools (MDKSA-2004:069)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability in racoon prior to version 20040408a would allow a remote attacker to cause a DoS (memory consumption) via an ISAKMP packet with a large length field. Another vulnerability in racoon was discovered where, when using RSA signatures, racoon would validate the X.509 certificate but would not validate the signature. This can be exploited by an attacker sending a valid and trusted X.509 certificate and any private key. Using this, they could perform a man-in-the-middle attack and initiate an unauthorized connection. This has been fixed in ipsec-tools 0.3.3. The updated packages contain patches backported from 0.3.3 to correct the problem." ); script_set_attribute( attribute:"solution", value: "Update the affected ipsec-tools, lib64ipsec-tools0 and / or libipsec-tools0 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ipsec-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64ipsec-tools0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libipsec-tools0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"ipsec-tools-0.2.5-0.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64ipsec-tools0-0.2.5-0.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libipsec-tools0-0.2.5-0.2.100mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200404-17.NASL description The remote host is affected by the vulnerability described in GLSA-200404-17 (ipsec-tools and iputils contain a remote DoS vulnerability) When racoon receives an ISAKMP header, it allocates memory based on the length of the header field. Thus, an attacker may be able to cause a Denial of Services by creating a header that is large enough to consume all available system resources. Impact : This vulnerability may allow an attacker to remotely cause a Denial of Service. Workaround : A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package. last seen 2020-06-01 modified 2020-06-02 plugin id 14482 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14482 title GLSA-200404-17 : ipsec-tools and iputils contain a remote DoS vulnerability code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200404-17. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14482); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-0403"); script_xref(name:"GLSA", value:"200404-17"); script_name(english:"GLSA-200404-17 : ipsec-tools and iputils contain a remote DoS vulnerability"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200404-17 (ipsec-tools and iputils contain a remote DoS vulnerability) When racoon receives an ISAKMP header, it allocates memory based on the length of the header field. Thus, an attacker may be able to cause a Denial of Services by creating a header that is large enough to consume all available system resources. Impact : This vulnerability may allow an attacker to remotely cause a Denial of Service. Workaround : A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package." ); script_set_attribute( attribute:"see_also", value:"http://ipsec-tools.sourceforge.net/" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200404-17" ); script_set_attribute( attribute:"solution", value: "ipsec-tools users should upgrade to version 0.2.5 or later: # emerge sync # emerge -pv '>=net-firewall/ipsec-tools-0.3.1' # emerge '>=net-firewall/ipsec-tools-0.3.1' iputils users should upgrade to version 021109-r3 or later: # emerge sync # emerge -pv '>=net-misc/iputils-021109-r3' # emerge '>=net-misc/iputils-021109-r3'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:ipsec-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:iputils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list", "Host/Gentoo/arch"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/Gentoo/arch"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(amd64|ppc|ppc64|s390)$") audit(AUDIT_ARCH_NOT, "amd64|ppc|ppc64|s390", ourarch); flag = 0; if (qpkg_check(package:"net-misc/iputils", arch:"ppc amd64 ppc64 s390", unaffected:make_list("eq 021109-r3"), vulnerable:make_list("eq 021109-r1"))) flag++; if (qpkg_check(package:"net-firewall/ipsec-tools", arch:"amd64", unaffected:make_list("ge 0.3.1"), vulnerable:make_list("lt 0.3.1"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "net-misc/iputils / net-firewall/ipsec-tools"); }NASL family Fedora Local Security Checks NASL id FEDORA_2004-132.NASL description An updated ipsec-tools package that fixes vulnerabilities in racoon (the ISAKMP daemon) is now available. When ipsec-tools receives an ISAKMP header, it will attempt to allocate sufficient memory for the entire ISAKMP message according to the header last seen 2020-06-01 modified 2020-06-02 plugin id 13707 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13707 title Fedora Core 2 : ipsec-tools-0.2.5-2 (2004-132) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-165.NASL description An updated ipsec-tools package that fixes vulnerabilities in racoon (the ISAKMP daemon) is now available. IPSEC uses strong cryptography to provide both authentication and encryption services. With versions of ipsec-tools prior to 0.2.3, it was possible for an attacker to cause unauthorized deletion of SA (Security Associations.) The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0164 to this issue. With versions of ipsec-tools prior to 0.2.5, the RSA signature on x.509 certificates was not properly verified when using certificate based authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0155 to this issue. When ipsec-tools receives an ISAKMP header, it will attempt to allocate sufficient memory for the entire ISAKMP message according to the header last seen 2020-06-01 modified 2020-06-02 plugin id 12488 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12488 title RHEL 3 : ipsec-tools (RHSA-2004:165) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_CCD698DF8E2011D890D10020ED76EF5A.NASL description When racoon receives an ISAKMP header, it will attempt to allocate sufficient memory for the entire ISAKMP message according to the header last seen 2020-06-01 modified 2020-06-02 plugin id 19124 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19124 title FreeBSD : racoon remote denial of service vulnerability (ISAKMP header length field) (ccd698df-8e20-11d8-90d1-0020ed76ef5a)
Oval
accepted 2013-04-29T04:12:27.755-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651
description Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. family unix id oval:org.mitre.oval:def:11220 status accepted submitted 2010-07-09T03:56:16-04:00 title Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. version 26 accepted 2010-09-20T04:00:48.066-04:00 class vulnerability contributors name Jay Beale organization Bastille Linux name Thomas R. Jones organization Maitreya Security name Jonathan Baker organization The MITRE Corporation
description Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. family unix id oval:org.mitre.oval:def:984 status accepted submitted 2004-05-12T12:00:00.000-04:00 title Racoon Denial of Service via Large Length Field version 40
Redhat
| advisories |
| ||||
| rpms |
|
References
- ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.10/SCOSA-2005.10.txt
- ftp://patches.sgi.com/support/free/security/advisories/20040506-01-U.asc
- http://marc.info/?l=bugtraq&m=108369640424244&w=2
- http://secunia.com/advisories/11410
- http://secunia.com/advisories/11877
- http://security.gentoo.org/glsa/glsa-200404-17.xml
- http://securitytracker.com/id?1009937
- http://sourceforge.net/project/shownotes.php?release_id=232288
- http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/isakmp.c.diff?r1=1.180&r2=1.181
- http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:069
- http://www.osvdb.org/5491
- http://www.redhat.com/support/errata/RHSA-2004-165.html
- http://www.securityfocus.com/bid/10172
- http://www.vuxml.org/freebsd/ccd698df-8e20-11d8-90d1-0020ed76ef5a.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15893
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11220
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A984