Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Mar 23, 2006 at 11:03:10AM +0200, Dmitry Pryanishnikov wrote:
+>=20
+> Hello!
+>=20
+> On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote:
+> >II. Problem Description
+> >
+> >IPsec provides an anti-replay service which when enabled prevents an at=
tacker
+> >from successfully executing a replay attack. This is done through the
+> >verification of sequence numbers. A programming error in the fast_ipse=
c(4)
+> >implementation results in the sequence number associated with a Security
+> >Association not being updated, allowing packets to unconditionally pass
+> >sequence number verification checks.
+> >
+> >III. Impact
+> >
+> >An attacker able to to intercept IPSec packets can replay them. If hig=
her
+> >level protocols which do not provide any protection against packet repl=
ays
+> >(e.g., UDP) are used, this may have a variety of effects.
+>=20
+> As far as I understood, only systems which use "options FAST_IPSEC" are=
affected by this issue. Is it true? If so, wouldn't be wise to stress this
+> fact in the advisory?
Yes, only FAST_IPSEC and only ESP (AH is ok).
--=20
Pawel Jakub Dawidek http://www.wheel.pl
pjd@FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
--pf9I7BMVVzbSWLtt
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFEIoZsForvXbEpPzQRAvBxAKDpQPMudySihZ9Du92HZAXqPeMkQACgqZfD
2QtYckz/rnD4hiPxibDY80o=
=eYK7
-----END PGP SIGNATURE-----
--pf9I7BMVVzbSWLtt--
討論串 (同標題文章)
完整討論串 (本文為第 4 之 4 篇):