Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Jun 2016 09:55:48 +0530
From: Huzaifa Sidhpurwala <>
Subject: Re: Re: CVE Request: IKEv1 protocol is vulnerable to
 DoS amplification attack

On 06/10/2016 06:04 PM, wrote:
>> I would like to request a CVE for the protocol flaw in IKEv1, details below:
>> Can a CVE id be please assigned to this?
> CVE IDs are not assigned to UDP protocols solely on the basis of an
> observed amplification-attack risk. A CVE ID can exist if the UDP
> reply traffic simply cannot ever have any legitimate purpose for users
> of a protocol. The general case of the interaction between UDP
> amplification and CVE was discussed between MITRE and CERT in 2013;
> this may be the reason that no CVE ID is listed in the
> document.

In that case, no CVE should be assigned to this issue as well. Its not
libreswan which is flawed, but its the protocol which they are trying to

> We can, however, assign a CVE ID to a vendor's announcement of a
> required security update, such as on the home
> page:
>   "libreswan 3.16 vulnerable to DDOS attack. Please upgrade to 3.17"
> Use CVE-2016-5361 for this issue only in the libreswan codebase.

Also the following products (which implement IKEv1 are flawed, since
they follow this protocol)


(There may be others, but i can only think of the above)

Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ