Date: Mon, 13 Jun 2016 09:55:48 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE Request: IKEv1 protocol is vulnerable to DoS amplification attack On 06/10/2016 06:04 PM, cve-assign@...re.org wrote: >> I would like to request a CVE for the protocol flaw in IKEv1, details below: > >> https://www.kb.cert.org/vuls/id/419128 >> https://blogs.akamai.com/2016/02/ikeikev2-ripe-for-ddos-abuse.html > >> https://bugzilla.redhat.com/show_bug.cgi?id=1308508 >> https://github.com/libreswan/libreswan/commit/152d6d95632d8b9477c170f1de99bcd86d7fb1d6 >> https://lists.libreswan.org/pipermail/swan-dev/2016-March/001394.html > >> Can a CVE id be please assigned to this? > > CVE IDs are not assigned to UDP protocols solely on the basis of an > observed amplification-attack risk. A CVE ID can exist if the UDP > reply traffic simply cannot ever have any legitimate purpose for users > of a protocol. The general case of the interaction between UDP > amplification and CVE was discussed between MITRE and CERT in 2013; > this may be the reason that no CVE ID is listed in the > https://www.kb.cert.org/vuls/id/419128 document. > In that case, no CVE should be assigned to this issue as well. Its not libreswan which is flawed, but its the protocol which they are trying to implement. > We can, however, assign a CVE ID to a vendor's announcement of a > required security update, such as on the https://libreswan.org/ home > page: > > "libreswan 3.16 vulnerable to DDOS attack. Please upgrade to 3.17" > > Use CVE-2016-5361 for this issue only in the libreswan codebase. > > Also the following products (which implement IKEv1 are flawed, since they follow this protocol) ipsec-tools racoon2 openswan strongswan libreswan ike vpnc (There may be others, but i can only think of the above) -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ