Subject: NetBSD Security Advisory 2005-007: AES-XCBC-MAC (IPsec AH) calculated using fixed key
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: tech-security
Date: 11/08/2005 09:57:35
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-007
=================================
Topic: AES-XCBC-MAC (IPsec AH) calculated using fixed key
Version: NetBSD-current: source prior to July 28, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: affected
NetBSD 2.0: affected
NetBSD 1.6.*: unaffected
Severity: Affected SAs lack integrity protection so an attacker
can forge data and have it be wrongly accepted
Fixed: NetBSD-current: July 28, 2005
NetBSD-3 branch: July 28, 2005
(3.0 will include the fix)
NetBSD-2.0 branch: July 28, 2005
(2.0.3 includes the fix)
NetBSD-2 branch: July 28, 2005
(2.1 includes the fix)
Abstract
========
Machines using IPsec [RFC2401] with AH and AES-XCBC-MAC algorithm
[RFC3566] incorrectly used a fixed key instead of the provided one.
Because a known key is used, affected Security Associations lack
integrity and data origin authentication protection, and an attacker
could send forged packets which would be accepted by the receiver.
Technical Details
=================
An error in the implementation of the AES-XCBC-MAC algorithm, used by
IPsec SAs for authentication, did not encrypt r_k1s in
ah_aes_xcbc_mac_init(), and only seeded it with the constant in
k1seed.
r_k1s was later passed as the encryption key to rijndaelEncrypt() by
ah_aes_xcbc_mac_loop() and ah_aes_xcbc_mac_result(), causing them to
use the same encryption key for authentication, without using the
key (set by the admin) passed from userland.
Because of this error, a receiving system using AH with AES-XCBC-MAC
checks an IPsec datagram with a fixed and known key. An attacker
could create a forged packet with a valid Integrity Check Value,
causing the receiver to accept the packet. Also, systems with this
bug would not interoperate with systems with the correct key.
If AH with AES-XCBC-MAC is used without confidentiality protection
(e.g. ESP [RFC2406]), an attacker can trivially cause data of his
choice to be received and processed. With confidentiality protection,
causing particular data to be processed is harder, but note that in
general confidentiality mechanisms do not provide effective integrity
protection.
Solutions and Workarounds
=========================
A workaround is to not use the AES-XCBC-MAC algorithm for authentication,
but it is highly recommended that any users of affected NetBSD versions
upgrade their kernel.
The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new version of
the kernel.
* NetBSD-current:
Systems running NetBSD-current dated from before 2005-07-28
should be upgraded to NetBSD-current dated 2005-07-29 or later.
(Systems built from the netbsd-3 branch should be upgraded to
2005-07-29 or later.)
The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
src/sys/netinet6/ah_aesxcbcmac.c
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/netinet6/ah_aesxcbcmac.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now
* NetBSD 2.x:
Systems built from source along the netbsd-2 or netbsd-2-0 branches
dated from before 2005-07-28 should be upgraded from sources dated
2005-07-29 or later. This includes the binary distributions of
NetBSD 2.0 and NetBSD 2.0.2.
NetBSD 2.1 includes the fix.
The following files should be updated from CVS:
src/sys/netinet6/ah_aesxcbcmac.c
To update from CVS, verify that your sources are from the correct
branch, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/netinet6/ah_aesxcbcmac.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now
* NetBSD 1.6 (and subsequent point releases) do not include
AES-XCBC-MAC and are thus unaffected.
Thanks To
=========
Yukiyo Akisada for reporting the bug to KAME.
SUZUKI Shinsuike for reporting the bug to NetBSD.
Christos Zoulas for quickly adapting the fix to NetBSD.
Revision History
================
2005-10-31 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-007.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-007.txt,v 1.8 2005/10/31 06:41:04 gendalia Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fKdD5Ru2/4N2IFAQIEUQQAlpQMrJ1YeDOC4SggrVbxTgwr6HtZzSU6
Rl7F1fQybzN4tcUnYo3m20k57IKLr94SDOUI5rrL9O0qU8Oz/V7V8hI48Z82HXk9
gk2yFnWgeTYOOttSPXkEU7/ohDKibQXK6+1JTG3L3NTAAmphTBai0nxii0iNN9Vk
wdIxN4YcaqA=
=GnoS
-----END PGP SIGNATURE-----