Vulnerabilities > CVE-2015-4047 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
ipsec-tools
canonical
fedoraproject
f5
debian
CWE-476
nessus
NVD
Published: 2015-05-29
Updated: 2019-03-27

Summary

racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a series of crafted UDP requests.

Vulnerable Configurations

Part Description Count
Application
Ipsec-Tools
1
Application
F5
429
OS
Canonical
1
OS
Fedoraproject
2
OS
Debian
3

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1367-1.NASL
    descriptionipsec-tools was updated to fix one security issue and a bug. This security issue was fixed : - CVE-2015-4047: racoon/gssapi.c in ipsec-tools allowed remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a series of crafted UDP requests (bsc#931989). Due to a packaging error, the racoonf.conf config file was symlinked to /usr/share/doc/packages/ipsec-tools/examples/racoon/samples/racoon.con f on some processor platforms, edits might have happened only in this example file. Before upgrading, please check if /etc/racoon/racoon.conf is a symlink to this example file and backup the content. (bsc#939810) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85376
    published2015-08-13
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85376
    titleSUSE SLES11 Security Update : ipsec-tools (SUSE-SU-2015:1367-1)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2015:1367-1.
# The text itself is copyright (C) SUSE.
#

include("compat.inc");

if (description)
{
  script_id(85376);
  script_version("2.8");
  script_cvs_date("Date: 2019/09/11 11:22:12");

  script_cve_id("CVE-2015-4047");
  script_bugtraq_id(74739);

  script_name(english:"SUSE SLES11 Security Update : ipsec-tools (SUSE-SU-2015:1367-1)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SUSE host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"ipsec-tools was updated to fix one security issue and a bug.

This security issue was fixed :

  - CVE-2015-4047: racoon/gssapi.c in ipsec-tools allowed
    remote attackers to cause a denial of service (NULL
    pointer dereference and IKE daemon crash) via a series
    of crafted UDP requests (bsc#931989).

Due to a packaging error, the racoonf.conf config file was symlinked
to
/usr/share/doc/packages/ipsec-tools/examples/racoon/samples/racoon.con
f on some processor platforms, edits might have happened only in this
example file.

Before upgrading, please check if /etc/racoon/racoon.conf is a symlink
to this example file and backup the content. (bsc#939810)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=931989"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=939810"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2015-4047/"
  );
  # https://www.suse.com/support/update/announcement/2015/suse-su-20151367-1.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?5d5bbed3"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server for VMWare 11-SP3 :

zypper in -t patch slessp3-ipsec-tools-12024=1

SUSE Linux Enterprise Server 11-SP4 :

zypper in -t patch slessp4-ipsec-tools-12024=1

SUSE Linux Enterprise Server 11-SP3 :

zypper in -t patch slessp3-ipsec-tools-12024=1

SUSE Linux Enterprise Debuginfo 11-SP3 :

zypper in -t patch dbgsp3-ipsec-tools-12024=1

To bring your system up-to-date, use 'zypper patch'."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ipsec-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/08/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/13");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);

sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES11" && (! preg(pattern:"^(3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3/4", os_ver + " SP" + sp);


flag = 0;
if (rpm_check(release:"SLES11", sp:"4", reference:"ipsec-tools-0.7.3-1.13.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", reference:"ipsec-tools-0.7.3-1.13.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ipsec-tools");
}
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-234.NASL
    descriptionJavantea discovered a NULL pointer dereference flaw in racoon, the Internet Key Exchange daemon of ipsec-tools. A remote attacker can use this flaw to cause the IKE daemon to crash via specially crafted UDP packets, resulting in a denial of service. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2015-06-01
    plugin id83906
    published2015-06-01
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83906
    titleDebian DLA-234-1 : ipsec-tools security update
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-234-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(83906);
  script_version("2.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2015-4047");
  script_bugtraq_id(74739);

  script_name(english:"Debian DLA-234-1 : ipsec-tools security update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Javantea discovered a NULL pointer dereference flaw in racoon, the
Internet Key Exchange daemon of ipsec-tools. A remote attacker can use
this flaw to cause the IKE daemon to crash via specially crafted UDP
packets, resulting in a denial of service.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2015/05/msg00019.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze-lts/ipsec-tools"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade the affected ipsec-tools, and racoon packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ipsec-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:racoon");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/05/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/01");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"6.0", prefix:"ipsec-tools", reference:"1:0.7.3-12+deb6u1")) flag++;
if (deb_check(release:"6.0", prefix:"racoon", reference:"1:0.7.3-12+deb6u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2623-1.NASL
    descriptionIt was discovered that racoon, the ipsec-tools IKE daemon, incorrectly handled certain UDP packets. A remote attacker could use this issue to cause racoon to crash, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id83949
    published2015-06-02
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83949
    titleUbuntu 12.04 LTS : ipsec-tools vulnerability (USN-2623-1)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL05013313.NASL
    descriptionracoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a series of crafted UDP requests. (CVE-2015-4047) Impact When this vulnerability is exploited, the remote attacker may be able use crafted UDP requests to cause the racoon process to stop responding, resulting in a denial-of-service (DoS) attack.
    last seen2020-03-17
    modified2016-01-28
    plugin id88428
    published2016-01-28
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88428
    titleF5 Networks BIG-IP : IPsec vulnerability (K05013313)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-8968.NASL
    descriptionUpgraded to 0.8.2, fix for CVE-2015-4047, support for Calling-Station-Id Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-06-09
    plugin id84038
    published2015-06-09
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84038
    titleFedora 20 : ipsec-tools-0.8.2-1.fc20 (2015-8968)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3272.NASL
    descriptionJavantea discovered a NULL pointer dereference flaw in racoon, the Internet Key Exchange daemon of ipsec-tools. A remote attacker can use this flaw to cause the IKE daemon to crash via specially crafted UDP packets, resulting in a denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id83789
    published2015-05-26
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83789
    titleDebian DSA-3272-1 : ipsec-tools - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-8948.NASL
    descriptionUpgraded to 0.8.2, fix for CVE-2015-4047, support for Calling-Station-Id Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-06-09
    plugin id84037
    published2015-06-09
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84037
    titleFedora 21 : ipsec-tools-0.8.2-1.fc21 (2015-8948)

References