OpenBSD "empty" AH/ESP Packet Remote Denial of Service Vulnerability

IP Protocols are those which lay directly below the IP header, such as TCP, UDP and ICMP. Network drivers know what sub-IP protocol a packet belongs to by the protocol number value in its IP header. The method used to scan for what IP protocols are supported by a remote host, as employed by Nmap 2.54Beta, is trying various protocol numbers in the IP header and sending the IP packets to the target. Whether or not the host scanning recieves an ICMP protocol unreachable or not determines whether the protocol is supported (given that ICMP isn't filtered..). When a scan of this sort is launched against OpenBSD with IPSEC support, the victim host can crash. The reason for this is that OpenBSD can not handle "empty" AH/ESP packets (or what it believes is an AH/ESP packet, based on the protocol number). The end result is typically a kernel panic and denial of service, which can be caused remotely against a vulnerable OpenBSD host by an attacker armed only with nmap. Other BSDs and Linux are reportedly not vulnerable to this problem.


Privacy Statement
Copyright 2010, SecurityFocus