Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec

看板FB_security作者時間20年前 (2006/03/25 02:54), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串2/4 (看更多)
Hello! On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote: > II. Problem Description > > IPsec provides an anti-replay service which when enabled prevents an attacker > from successfully executing a replay attack. This is done through the > verification of sequence numbers. A programming error in the fast_ipsec(4) > implementation results in the sequence number associated with a Security > Association not being updated, allowing packets to unconditionally pass > sequence number verification checks. > > III. Impact > > An attacker able to to intercept IPSec packets can replay them. If higher > level protocols which do not provide any protection against packet replays > (e.g., UDP) are used, this may have a variety of effects. As far as I understood, only systems which use "options FAST_IPSEC" are affected by this issue. Is it true? If so, wouldn't be wise to stress this fact in the advisory? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 dmitry. 的文章
文章代碼(AID): #14941O00 (FB_security)
更多 dmitry. 的文章
文章代碼(AID): #14941O00 (FB_security)