Next Page >>
IPsec
and 8.2.x are affected.
Crafted IKE Message Denial of Service Vulnerability
+--------------------------------------------------
A crafted IKE message that is sent through an IPsec tunnel that
terminates on a Cisco ASA 5500 Series Adaptive Security Appliance
could cause all IPsec tunnels that terminate on the same device to be
torn down. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are
affected. IKE is not enabled by default. If IKE is enabled, the "isakmp
enable <interface name>" command appears in the configuration.
Networking.NET2-KRN
action: install PHNE_32606 or subsequent
HP-UX B.11.11
=============
IPSec.IPSEC2-KRN
- ->action: install IPSec revision A.02.01.01 or subsequent and PHNE_35351 or subsequent
HP-UX B.11.23
=============
IPSec.IPSEC2-KRN
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:04.ipsec Security Advisory
The FreeBSD Project
Topic: IPsec null pointer dereference panic
Category: core
A series of TCP packets may cause a denial of service (DoS) condition
on Cisco IOS devices that are configured as Easy VPN servers with the
Cisco Tunneling Control Protocol (cTCP) encapsulation feature. Cisco
has released free software updates that address this vulnerability.
No workarounds are available; however, the IPSec NAT traversal
(NAT-T) feature can be used as an alternative.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: IPSec Tools: Denial of Service
Date: May 24, 2009
Bugs: #267135
ID: 200905-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
in a reload of the device or disclosure of confidential information.
This security advisory outlines details of the following
vulnerabilities:
* Erroneous SIP Processing Vulnerabilities
* IPSec Client Authentication Processing Vulnerability
* SSL VPN Memory Leak Vulnerability
* URI Processing Error Vulnerability in SSL VPNs
* Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device
> US to hack on crypto code"
> http://marc.info/?l=3Dopenbsd-tech&m=3D129237675106730&w=3D2
That statement remains true.
IPSEC isn't 100% crypto; it is a complex layered subsystem with many
other elements to it. In particular our IPSEC stack also supports the
IPCOMP sub-protocol -- the same management framework moves compressed
ip packets through the framework. This means that there are parts of
the IPSEC stack that are 'dual use'. There are also many other parts
of IPSEC which are related to non-encrypted encapsulations.
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Internet Key Exchange
Resource Exhaustion Vulnerability
Advisory ID: cisco-sa-20090923-ipsec
Revision 1.0
For Public Release 2009 September 23
Hi there,
###############################################
TheGreenBow IPSec VPN Client Login Credentials Information Disclosure Vulnerability
Informations
Risk: Low
Typology: Local
Date: 30/03/2008
+----------------------------------------------------
Because of a Microsoft Windows NT Domain authentication issue the Cisco
ASA and Cisco PIX devices may be susceptible to a VPN authentication
bypass vulnerability. Cisco ASA or Cisco PIX security appliances that
are configured for IPSec or SSL-based remote access VPN using Microsoft
Windows NT Domain authentication may be vulnerable. Devices that are
using any other type of external authentication (that is, LDAP, RADIUS,
TACACS+, SDI, or local database) are not affected by this vulnerability.
The following example demonstrates how Windows NT domain authentication
Original e-mail is from Theo DeRaadt
http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
I have received a mail regarding the early development of the OpenBSD
IPSEC stack. It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack. Around 2000-2001.
Since we had the first IPSEC stack available for free, large parts of
the code are now found in many other projects/products. Over 10
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software IPsec Vulnerability
Advisory ID: cisco-sa-20100324-ipsec
Revision 1.0
For Public Release 2010 March 24 1600 UTC (GMT)
as described in detail within this advisory.
VPN Authentication Bypass Vulnerability
+--------------------------------------
Cisco ASA or Cisco PIX security appliances that are configured for IPsec
or SSL-based remote access VPN and have the Override Account Disabled
feature enabled are affected by this vulnerability.
Note: The Override Account Disabled feature was introduced in Cisco
ASA software version 7.1(1). Cisco ASA and PIX software versions 7.1,
> ID: 200903-18
> An insecure temporary file usage has been reported in Openswan,
> allowing for symlink attacks.
> Dmitry E. Oboukhov reported that the IPSEC livetest tool does not
> handle the ipseclive.conn and ipsec.olts.remote.log temporary files
> securely.
> A local attacker could perform symlink attacks to execute arbitrary
> code and overwrite arbitrary files with the privileges of the user
been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2816.
Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IPsec is an IP security feature that provides robust authentication
and encryption of IP packets. IKE is a key management protocol
standard that is used in conjunction with the IPsec standard. A DoS
vulnerability exists in the IKE implementation of the Cisco ASA.
During successful exploitation, an unauthenticated attacker may cause
an affected device to reload.
> > A local attacker could perform symlink attacks to execute arbitrary
> > code and overwrite arbitrary files with the privileges of the user
> > running the application.
>
> The ipsec livetest command was never called or used by anything in
> openswan as it was not finished. Furthermore, it was no longer
> installed AND explicitely disabled since:
>
> commit 4661d345b676d5412a52b6d1289568fc4ab31eac
> Author: Paul Wouters <paul@xelerance.com>
allowing for symlink attacks.
Background
==========
Openswan is an implementation of IPsec for Linux.
Affected packages
=================
-------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==========================================================================
Openswan & Strongswan Security Notification March 30, 2009
Remote DoS Vulnerability in Openswan & Strongswan IPsec
CVE-2009-0790
==========================================================================
A vulnerability in the Dead Peer Detection (RFC-3706) code was found by
Gerd v. Egidy <gerd.von.egidy@intra2net.com> of Intra2net AG affecting
all Openswan and all Strongswan releases.
detection, traffic analysis, TCP blind data injection,
etc. (predictable IP fragmentation ID) in "regular" IP
packets and raw IP packets.
o Predictable IP fragmentation ID in DHCP, IP multicast
routing and IPsec encapsulation in IP.
* NetBSD 1.6.2-4.0
o Idle-scanning, O/S fingerprinting, host alias
> detection, traffic analysis, TCP blind data injection,
> etc. (predictable IP fragmentation ID) in "regular" IP
> packets and raw IP packets.
>
> o Predictable IP fragmentation ID in DHCP, IP multicast
> routing and IPsec encapsulation in IP.
>
>
> * NetBSD 1.6.2-4.0
>
> o Idle-scanning, O/S fingerprinting, host alias
- Use a separate IP subnet to host the manager workstations.
- Provide physical protection to manager workstations by implementing
physical access control to the room where the Contact Center managers have
their workstations.
Protect credential exchanged over the LAN:
- Configure IPsec on the TSA server to require mandatory IPsec access
from an explicit list of management workstations.
- Configure the Windows firewall to allow cleartext accesses from an
explicit list of agent workstations and drop all packets from any other
workstations.
Fixed Software Versions/Patches and how to obtain them
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: IPsec-Tools: racoon Denial of Service
Date: December 02, 2008
Bugs: #232831
ID: 200812-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
allow remote attackers to cause a Denial of Service.
Background
==========
Openswan is an implementation of IPsec for Linux.
Affected packages
=================
-------------------------------------------------------------------
by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built
from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN,
spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom
ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based
solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only
security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware).
Fortinet is privately held and based in Sunnyvale, California.
*** This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. ***
Indeed, as I tried to explain in my previous reply, my "suggestion" in obscurity as a means of securing things, was not meant as (encryption of encryption) ^ ?, rather building another barrier to make it "harder" for compromise.
IMO, a "real" solution would be to be able to deploy/install Pidgin in a fashion so that:
a) the accounts.xml file's location can be overriden (so that I can re-direct to a network shared TrueCrypt drive over an IPSEC protected pipe in a VLAN'd network :p)
b) to be able to disable the "Save Password" option and ensure it cannot be overridden by the user by default
In an institution where the authentication piece is tied into the universal PIM LDAP, as-is, the usage of your application puts us in awkward position, as it has been deemed against the policies to "store" such authentication information in the open in an easily accessible location.
Per your post on http://developer.pidgin.im/wiki/PlainTextPasswords here, AFAIK there still isn't any plugin that decrypts/encrypts the saved password file either :/
In the previous example, the Cisco ASA is configured to accept Telnet
connections on the inside interface from the 192.168.10.0/24 network.
Note: You cannot use Telnet to the lowest security interface unless
you use Telnet inside an IPSec tunnel.
ASDM management sessions are enabled via the http server enable and
http commands.
The ssh command is used identify the IP addresses from which the
And is yes on the same thread, we have the presumed innocent until
proven is guilty party conflict with team OpenBSD:
"I will state clearly that I did not add backdoors to the OpenBSD
operating system or the OpenBSD crypto framework (OCF)."
"The timeline for my involvement with IPSec can be clearly
demonstrated by looking at the revision history of:
src/sys/dev/pci/hifn7751.c (Dec 15, 1999)
src/sys/crypto/cryptosoft.c (March 2000)
http://marc.info/?a=90367907900009&r=1&w=2
fetchmail
Fetchmail is a remote mail retrieval and forwarding utility intended
for use over on-demand TCP/IP links, like SLIP or PPP connections.
Fetchmail supports every remote-mail protocol currently in use on the
Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,
and IPSEC) for retrieval. Then Fetchmail forwards the mail through
SMTP so you can read it through your favorite mail client.
quagga
Quagga is a free software that manages TCP/IP based routing protocol.
It takes multi-server and multi-thread approach to resolve the current
Cisco IPSec VPN Implementation Group Name Enumeration
01/12/2010
Gavin Jones of NGS Secure has discovered a vulnerability in (Cisco) Cisco VPN Concentrator, Cisco PIX and Cisco Adaptive Security Appliance.
Versions affected include:
-Cisco ASA 5500 Series Adaptive Security Appliances
-Cisco PIX 500 Series Security Appliances
releasing fixes by March 24th and requests publication of the advisory
to be delayed to create a fix for vulnerable customers. The development
team is investigating how long it will take to make such a fix
available. The vendor indicates that the previous questions about
firewall setup referred to the vendor's recommended practices to secure
networks on which their systems run using firewalls and IPsec.
. 2008-03-21: Vendor indicates that it is issuing a Tech Alert to its
customers to address the issue. Details about the vulnerability have
been minimized in the Tech Alert. The vendor expresses concern about the
level of detail included in Core's advisory and requests that those
details be removed from the advisory because they give more detail than
Next Page>>
|
