>Number:         30821
>Category:       kern
>Synopsis:       IPsec-AH is always calculated using the same key in AES-XCBC-MAC
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jul 24 07:07:00 +0000 2005
>Originator:     SUZUKI, Shinsuike
>Release:        NetBSD-2.0
>Organization:
KAME Project
>Environment:
>Description:
[obtained from]
KAME SNAP-users Mailing List
  http://www.kame.net/snap-users/mail-list.cgi
  (9149, 9150 and 9153 are the corresponding thread)

[description]
AES-XCBC-MAC (an IPsec-AH algorithm) is always calculated using the same key, not the key given from userland applications.

[expected vulnerability]
A FreeBSD machine can communicate with any FreeBSD machine using
IPsec-AH with AES-XCBC-MAC, even when it does not have the right key of the target machine.

[Affected Version]
Since sys/netinet6/ah_aesxcbcmac.c first appeared two years ago.
(i.e. NetBSD-2.0--)
>How-To-Repeat:
NetBSD1-----NetBSD2

  Establish a IPsec-SA by setkey or IKE daemon,
  with AES-XCBC-MAC as an AH algorithm and 
  a different pre-shared key at each host.

  IPsec-SA must not be established in theory, but
  actually it's established.
>Fix:
[Workaround]
Don't use AES-XCBC-MAC as an IPsec-AH algorithm.
(as far as I know, only FreeBSD, NetBSD and USAGI(Linux) supports it.  So it's not a bad workaround)

[Patch]
Available at the following URL:
http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ah_aesxcbcmac.c.diff?r1=1.7&r2=1.8