Date: Mon, 25 Sep 2000 21:13:00 +0000 Subject: Nmap Protocol Scanning DoS against OpenBSD IPSEC To: BUGTRAQ@SECURITYFOCUS.COM The protocol scanning option (-sO) in 2.54 Beta releases of nmap results in a remote denial of service against OpenBSD 2.7's IPSEC implementation due to its inability to handle tiny AH/ESP packets. Nmap protocol scans repeatedly cycle through IP protocol version numbers, attempting to elicit ICMP Protocol Unreachable messages in order to discover which IP protocols (ICMP,TCP,UDP,GRE,AH,ESP, etc.) are active on the target device. The empty AH/ESP packets send OpenBSD 2.7 into debug mode with the following results (more or less): panic: m_copydata: null mbuf Stopped at _Debugger+0x4: leave _panic(.... _m_copydata(... _ipsec_common_input(... _esp4_input(.... _ipv4_input(.... _ipintr(... Bad frame pointer: 0xe3b55e98 This vulnerability was reported to OpenBSD developers on 17 September and an advisory (and patch) was released the following day. See ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/024_ipsec.patch for details. OpenBSD 2.7 was the only *NIX IPSEC implementation found to be susceptible to this type of scan. I tested Linux FreeS/WAN myself, and KAME developers reported that FreeBSD (and I assume NetBSD) was *not* vulnerable. AIX and Solaris 8 IPSEC implementations were not tested. -mdf ------------------------------------- Matthew Franz mfranz@cisco.com Security Technologies Assessment Team