Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Jun 2016 09:55:48 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE Request: IKEv1 protocol is vulnerable to
 DoS amplification attack

On 06/10/2016 06:04 PM, cve-assign@...re.org wrote:
>> I would like to request a CVE for the protocol flaw in IKEv1, details below:
> 
>> https://www.kb.cert.org/vuls/id/419128
>> https://blogs.akamai.com/2016/02/ikeikev2-ripe-for-ddos-abuse.html
> 
>> https://bugzilla.redhat.com/show_bug.cgi?id=1308508
>> https://github.com/libreswan/libreswan/commit/152d6d95632d8b9477c170f1de99bcd86d7fb1d6
>> https://lists.libreswan.org/pipermail/swan-dev/2016-March/001394.html
> 
>> Can a CVE id be please assigned to this?
> 
> CVE IDs are not assigned to UDP protocols solely on the basis of an
> observed amplification-attack risk. A CVE ID can exist if the UDP
> reply traffic simply cannot ever have any legitimate purpose for users
> of a protocol. The general case of the interaction between UDP
> amplification and CVE was discussed between MITRE and CERT in 2013;
> this may be the reason that no CVE ID is listed in the
> https://www.kb.cert.org/vuls/id/419128 document.
> 

In that case, no CVE should be assigned to this issue as well. Its not
libreswan which is flawed, but its the protocol which they are trying to
implement.


> We can, however, assign a CVE ID to a vendor's announcement of a
> required security update, such as on the https://libreswan.org/ home
> page:
> 
>   "libreswan 3.16 vulnerable to DDOS attack. Please upgrade to 3.17"
> 
> Use CVE-2016-5361 for this issue only in the libreswan codebase.
> 
> 


Also the following products (which implement IKEv1 are flawed, since
they follow this protocol)

 ipsec-tools
 racoon2
 openswan
 strongswan
 libreswan
 ike
 vpnc

(There may be others, but i can only think of the above)



-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ