Title: OpenBSD "empty" AH/ESP Packet Remote Denial of Service Vulnerability
Severity: MODERATE
Description:
IP Protocols are those which lay directly below the IP header, such as TCP, UDP and ICMP. Network drivers know what sub-IP protocol a packet belongs to by the protocol number value in its IP header. The method used to scan for what IP protocols are supported by a remote host, as employed by Nmap 2.54Beta, is trying various protocol numbers in the IP header and sending the IP packets to the target. Whether or not the host scanning recieves an ICMP protocol unreachable or not determines whether the protocol is supported (given that ICMP isn't filtered..). When a scan of this sort is launched against OpenBSD with IPSEC support, the victim host can crash. The reason for this is that OpenBSD can not handle "empty" AH/ESP packets (or what it believes is an AH/ESP packet, based on the protocol number). The end result is typically a kernel panic and denial of service, which can be caused remotely against a vulnerable OpenBSD host by an attacker armed only with nmap. Other BSDs and Linux are reportedly not vulnerable to this problem.
Affected Products:
- OpenBSD OpenBSD 2.7.0
References:
- OpenBSD: OpenBSD Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
