MidnightBSD

Advisories for ipsec-tools

CVE-2004-0607 HIGH

The eay_check_x509cert function in KAME Racoon successfully verifies certificates even when OpenSSL validation fails, which could allow remote attackers to bypass authentication.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
redhat enterprise_linux 3.0
ipsec-tools ipsec-tools 0.3_rc5
ipsec-tools ipsec-tools 0.3.1
ipsec-tools ipsec-tools 0.3_rc3
kame racoon 2004-04-07b
redhat enterprise_linux_desktop 3.0
kame racoon 2003-07-11
kame racoon *
ipsec-tools ipsec-tools 0.3_rc1
kame racoon 2004-05-03
kame racoon 2004-04-05
ipsec-tools ipsec-tools 0.3
ipsec-tools ipsec-tools 0.3_rc2
ipsec-tools ipsec-tools 0.3_rc4
ipsec-tools ipsec-tools 0.3.2
CVE-2005-0398 MEDIUM

The KAME racoon daemon in ipsec-tools before 0.5 allows remote attackers to cause a denial of service (crash) via malformed ISAKMP packets.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
redhat enterprise_linux 3.0
kame racoon 2005-01-10
kame racoon 2005-02-21
redhat enterprise_linux_desktop 3.0
kame racoon 2004-05-03
ipsec-tools ipsec-tools 0.3.3
kame racoon 2004-04-05
kame racoon 2005-01-31
ipsec-tools ipsec-tools 0.5
kame racoon 2005-03-07
redhat enterprise_linux_desktop 4.0
kame racoon 2005-01-17
kame racoon 2005-02-07
sgi propack 3.0
kame racoon 2005-02-28
suse suse_linux *
redhat enterprise_linux 4.0
kame racoon 2004-04-07b
altlinux alt_linux 2.3
kame racoon 2003-07-11
kame racoon 2005-02-14
kame racoon 2005-01-24
kame racoon 2005-01-03
suse suse_linux 9.2
suse suse_linux 9.1
CVE-2005-3732 HIGH

The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg.c) in racoon in ipsec-tools before 0.6.3, when running in aggressive mode, allows remote attackers to cause a denial of service (null dereference and crash) via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
ipsec-tools ipsec-tools 0.5
ipsec-tools ipsec-tools 0.5.2
ipsec-tools ipsec-tools 0.6.2
ipsec-tools ipsec-tools 0.5.1
ipsec-tools ipsec-tools 0.6
ipsec-tools ipsec-tools 0.6.1
CVE-2008-3652 HIGH

src/racoon/handler.c in racoon in ipsec-tools does not remove an "orphaned ph1" (phase 1) handle when it has been initiated remotely, which allows remote attackers to cause a denial of service (resource consumption).

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ipsec-tools ipsec-tools *
CVE-2015-4047 HIGH

racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a series of crafted UDP requests.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,

Products Affected

Vendor Product Version
f5 big-ip_wan_optimization_manager *
f5 big-ip_advanced_firewall_manager 13.0.0
f5 big-ip_access_policy_manager *
f5 big-ip_advanced_firewall_manager *
debian debian_linux 7.0
f5 big-ip_domain_name_system 13.0.0
debian debian_linux 9.0
f5 big-ip_policy_enforcement_manager 13.0.0
f5 big-ip_domain_name_system *
f5 big-ip_link_controller *
f5 big-ip_local_traffic_manager 13.0.0
f5 big-ip_global_traffic_manager *
f5 big-ip_webaccelerator *
f5 big-ip_application_acceleration_manager 13.0.0
fedoraproject fedora 20
f5 enterprise_manager *
f5 big-ip_protocol_security_manager *
f5 big-iq_device *
ipsec-tools ipsec-tools 0.8.2
f5 big-ip_application_security_manager *
f5 big-iq_security *
f5 big-ip_local_traffic_manager *
fedoraproject fedora 21
f5 big-ip_analytics 13.0.0
f5 big-ip_policy_enforcement_manager *
f5 big-ip_application_security_manager 13.0.0
f5 big-ip_access_policy_manager 13.0.0
f5 big-iq_cloud *
debian debian_linux 8.0
f5 big-ip_edge_gateway *
f5 big-ip_link_controller 13.0.0
f5 big-ip_analytics *
f5 big-iq_cloud_and_orchestration 1.0.0
f5 big-ip_application_acceleration_manager *
f5 big-iq_adc 4.5.0
canonical ubuntu_linux 12.04
f5 big-iq_centralized_management 4.6.0
CVE-2016-10396 HIGH

The racoon daemon in IPsec-Tools 0.8.2 contains a remotely exploitable computational-complexity attack when parsing and storing ISAKMP fragments. The implementation permits a remote attacker to exhaust computational resources on the remote endpoint by repeatedly sending ISAKMP fragment packets in a particular order such that the worst-case computational complexity is realized in the algorithm utilized to determine if reassembly of the fragments can take place.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-407,

Products Affected

Vendor Product Version
ipsec-tools ipsec-tools 0.8.2