Abstract

Machines using IPsec [RFC2401] with AH and AES-XCBC-MAC algorithm
[RFC3566] incorrectly used a fixed key instead of the provided one.
Because a known key is used, affected Security Associations lack
integrity and data origin authentication protection, and an attacker
could send forged packets which would be accepted by the receiver.

Technical Details

An error in the implementation of the AES-XCBC-MAC algorithm, used by
IPsec SAs for authentication, did not encrypt r_k1s in
ah_aes_xcbc_mac_init(), and only seeded it with the constant in
k1seed.

r_k1s was later passed as the encryption key to rijndaelEncrypt() by
ah_aes_xcbc_mac_loop() and ah_aes_xcbc_mac_result(), causing them to
use the same encryption key for authentication, without using the
key (set by the admin) passed from userland.

Because of this error, a receiving system using AH with AES-XCBC-MAC
checks an IPsec datagram with a fixed and known key. An attacker
could create a forged packet with a valid Integrity Check Value,
causing the receiver to accept the packet. Also, systems with this
bug would not interoperate with systems with the correct key.

If AH with AES-XCBC-MAC is used without confidentiality protection
(e.g. ESP [RFC2406]), an attacker can trivially cause data of his
choice to be received and processed. With confidentiality protection,
causing particular data to be processed is harder, but note that in
general confidentiality mechanisms do not provide effective integrity
protection.

Solutions and Workarounds

A workaround is to not use the AES-XCBC-MAC algorithm for authentication,
but it is highly recommended that any users of affected NetBSD versions
upgrade their kernel.

The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new version of
the kernel.

* NetBSD-current:

Systems running NetBSD-current dated from before 2005-07-28
should be upgraded to NetBSD-current dated 2005-07-29 or later.
(Systems built from the netbsd-3 branch should be upgraded to
2005-07-29 or later.)

The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
src/sys/netinet6/ah_aesxcbcmac.c

To update from CVS, re-build, and re-install the kernel:

# cd src
# cvs update -d -P sys/netinet6/ah_aesxcbcmac.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now

* NetBSD 2.x:

Systems built from source along the netbsd-2 or netbsd-2-0 branches
dated from before 2005-07-28 should be upgraded from sources dated
2005-07-29 or later. This includes the binary distributions of
NetBSD 2.0 and NetBSD 2.0.2.

NetBSD 2.1 includes the fix.

The following files should be updated from CVS:
src/sys/netinet6/ah_aesxcbcmac.c

To update from CVS, verify that your sources are from the correct
branch, re-build, and re-install the kernel:

# cd src
# cvs update -d -P sys/netinet6/ah_aesxcbcmac.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now

* NetBSD 1.6 (and subsequent point releases) do not include
AES-XCBC-MAC and are thus unaffected.

Thanks To

Yukiyo Akisada for reporting the bug to KAME.
SUZUKI Shinsuike for reporting the bug to NetBSD.
Christos Zoulas for quickly adapting the fix to NetBSD.

Revision History

2005-10-31 Initial release

More Information
 
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/  and http://www.NetBSD.org/Security/ .

Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.