-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2005-007 ================================= Topic: AES-XCBC-MAC (IPsec AH) calculated using fixed key Version: NetBSD-current: source prior to July 28, 2005 NetBSD 2.1: not affected NetBSD 2.0.3: not affected NetBSD 2.0.2: affected NetBSD 2.0: affected NetBSD 1.6.*: unaffected Severity: Affected SAs lack integrity protection so an attacker can forge data and have it be wrongly accepted Fixed: NetBSD-current: July 28, 2005 NetBSD-3 branch: July 28, 2005 (3.0 will include the fix) NetBSD-2.0 branch: July 28, 2005 (2.0.3 includes the fix) NetBSD-2 branch: July 28, 2005 (2.1 includes the fix) Abstract ======== Machines using IPsec [RFC2401] with AH and AES-XCBC-MAC algorithm [RFC3566] incorrectly used a fixed key instead of the provided one. Because a known key is used, affected Security Associations lack integrity and data origin authentication protection, and an attacker could send forged packets which would be accepted by the receiver. Technical Details ================= An error in the implementation of the AES-XCBC-MAC algorithm, used by IPsec SAs for authentication, did not encrypt r_k1s in ah_aes_xcbc_mac_init(), and only seeded it with the constant in k1seed. r_k1s was later passed as the encryption key to rijndaelEncrypt() by ah_aes_xcbc_mac_loop() and ah_aes_xcbc_mac_result(), causing them to use the same encryption key for authentication, without using the key (set by the admin) passed from userland. Because of this error, a receiving system using AH with AES-XCBC-MAC checks an IPsec datagram with a fixed and known key. An attacker could create a forged packet with a valid Integrity Check Value, causing the receiver to accept the packet. Also, systems with this bug would not interoperate with systems with the correct key. If AH with AES-XCBC-MAC is used without confidentiality protection (e.g. ESP [RFC2406]), an attacker can trivially cause data of his choice to be received and processed. With confidentiality protection, causing particular data to be processed is harder, but note that in general confidentiality mechanisms do not provide effective integrity protection. Solutions and Workarounds ========================= A workaround is to not use the AES-XCBC-MAC algorithm for authentication, but it is highly recommended that any users of affected NetBSD versions upgrade their kernel. The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of the kernel. * NetBSD-current: Systems running NetBSD-current dated from before 2005-07-28 should be upgraded to NetBSD-current dated 2005-07-29 or later. (Systems built from the netbsd-3 branch should be upgraded to 2005-07-29 or later.) The following files need to be updated from the netbsd-current CVS branch (aka HEAD): src/sys/netinet6/ah_aesxcbcmac.c To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/netinet6/ah_aesxcbcmac.c # ./build.sh kernel=GENERIC # mv /netbsd /netbsd.old # cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd # shutdown -r now * NetBSD 2.x: Systems built from source along the netbsd-2 or netbsd-2-0 branches dated from before 2005-07-28 should be upgraded from sources dated 2005-07-29 or later. This includes the binary distributions of NetBSD 2.0 and NetBSD 2.0.2. NetBSD 2.1 includes the fix. The following files should be updated from CVS: src/sys/netinet6/ah_aesxcbcmac.c To update from CVS, verify that your sources are from the correct branch, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/netinet6/ah_aesxcbcmac.c # ./build.sh kernel=GENERIC # mv /netbsd /netbsd.old # cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd # shutdown -r now * NetBSD 1.6 (and subsequent point releases) do not include AES-XCBC-MAC and are thus unaffected. Thanks To ========= Yukiyo Akisada for reporting the bug to KAME. SUZUKI Shinsuike for reporting the bug to NetBSD. Christos Zoulas for quickly adapting the fix to NetBSD. Revision History ================ 2005-10-31 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-007.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2005-007.txt,v 1.8 2005/10/31 06:41:04 gendalia Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (NetBSD) iQCVAwUBQ2fKdD5Ru2/4N2IFAQIEUQQAlpQMrJ1YeDOC4SggrVbxTgwr6HtZzSU6 Rl7F1fQybzN4tcUnYo3m20k57IKLr94SDOUI5rrL9O0qU8Oz/V7V8hI48Z82HXk9 gk2yFnWgeTYOOttSPXkEU7/ohDKibQXK6+1JTG3L3NTAAmphTBai0nxii0iNN9Vk wdIxN4YcaqA= =GnoS -----END PGP SIGNATURE-----