|
Description
|
Some IPsec implementations use tunnel-mode for end-to-end communication. We currently do
not support this save for with manually-keyed SAs and per-socket policy specifying
self-encapsulation. OpenSWAN, if not properly configured, will use self-encapsulated
packets even when IKE insists on transport-mode SAs. A ping (not a TCP or UDP packet)
from OpenSWAN with such a misconfiguration will cause a kernel panic on Solaris:
sadb_extended_acquire+0x19c(c4bd5570, 0, c6510e8c, 1, fffffffe, 0)
sadb_acquire+0x5f0(c4a7d400, c4cd0cac, 0, 1, fec65158, c2ff6000)
stubs_common_code+0x3b(c4a7d400, 3, 0, c2e1d040)
ipsec_out_process+0x285(c447f968)
ip_wput_ire+0x2876(c447f968, c2fa1040, c6cf3248, 0, 2, 0)
ip_output_options+0x1d99(0, c2fa1040, c447f968, 2, fed36db0, c2fa1040)
ip_output+0x1c(0, c4a7d400, c447f968, 2)
ip_wput+0x26(c447f968)
put+0x23f(c447f968, c4a7d400, 0, 0)
icmp_inbound+0x81b(c447f8e8, c2fa1040, 0, c35c4b94, 0, 0)
ip_proto_input+0x59c(c447f8e8, c2fa1040, c34ece6c, c447a468, c35c4b94, 0)
ip_fanout_proto_again+0x32e(c4a7d400, c35c4b94, c35c4b94, c447a468)
ip_proto_input+0x814(c447f8e8, c2fa1040, c34ece58, c447a468, c35c4b94, 0)
ip_fanout_proto_again+0x32e(c4a7d400, c35c4b94, c35c4b94, c447a468)
ip_proto_input+0xba0(c447f8e8, c2fa1040, c34ece50, c447a468, c35c4b94, 0)
ip_input+0xb0a(c35c4b94)
i_dls_link_rx+0x23d(c4a8ce20, 0, c2fa1040, 0)
mac_rx_deliver+0x42(c4a8bc60)
mac_rx_soft_ring_drain+0xd2(c4a88d00, c4a88d00, 158, 246)
mac_soft_ring_worker+0x14e(c4a88d00, 0)
thread_start+8()
This is not a full-blown security bug, as you need a trusted party (trusted enough to
share SA material, or trusted enough to do an IKE exchange) to cause the panic.
Auditing such miscreate peers is simple.
|