A few days ago, we had lots of discussions about the "PROTOS" IKE test
suite , and about a global "IKE implementations vulnerabilities".
Adrian Portelli from NetBSD team reported us three test cases which
could lead to a racoon crash (access to a NULL pointer). I could only
reproduce one of them on my own test configuration, for unknown
A few details about those test cases:
1) All three are based on AGGRESSIVE mode.
2) All three require a very weak racoon configuration (no lifetime
proposal or obey mode).
3) All three require racoon's configuration to be 3DES/SHA1/DH2.
4) All three DO NOT require valid identifier/PSK
Note that conditions 2 and 3 are just specific to the test suite which
was used, other programs may have other default proposals or may
bruteforce various proposals.
The two crashes heppens because there was no check in aggressive mode
code to ensure that we got specific payloads from the peer.
The IKE exchanges don't provide those payloads, pointers stays NULL,
and we have a crash later in the code when trying to access NULL
Payload existency check was already present in main mode.
So the problem is "minor", as it can "just" lead to a racoon crash,
and as it requires a configuration which is quite weak, which is known
to have some other security problems, and which should NOT be used !
On friday, I sent a first mail on the lists to see if people needed
some time to generate new packages, but I had no answers.
So I just commited the fix on HEAD and Branch 0.6 (if people needs it
on other branchs, it's trivial to backport). It will be included in
version 0.6.3, which should be released very quickly.
Adrian and I both ran all the test suite without noticing any other
Get latest updates about Open Source Projects, Conferences and News.