Security issue when using aesni(4) module with only ESP on HEAD

From: John-Mark Gurney <jmg_at_funkthat.com>
Date: Mon, 6 Jul 2015 12:30:45 -0700
It has been discovered that r275732[1] on HEAD introduced a bug in the
aesni(4) module where the initialization vector (IV) is not properly
generated when using AES-CBC, aka rijndael-cbc.  This only happens
when both the CRD_F_IV_PRESENT and CRD_F_IV_EXPLICIT flags are not
set.  This ONLY affects HEAD and does not affect any stable branch
as the code in r275732 has not yet been back ported.

The only happen when the system is running IPsec and has a security
policy that only includes encryption (ESP).  If an authentication
policy (AH) is specified along with an encryption policy, which is the
recommended configuration to prevent an attacker from modifying packets,
the aesni(4) module will not be used, and this bug will not affect the
policy.

This bug has been fixed in r285216[2].  Please upgrade immediately if you
are using IPsec w/ an ESP only policy and the aesni(4) module.

The bug will leak the XOR difference[3] of the first 16 bytes of the
packet, and possibly more.  In tunnel mode, this only covers part of
the IP header, including the internal source IP.  In transport mode,
most of the TCP header will be leaked and the header and first 8 bytes 
of a UDP packet.

Other subsystems in FreeBSD, kgssapi, geli and cryptodev, set the
CRD_F_IV_PRESENT and/or CRD_F_IV_EXPLICIT flags and are not affected
by this bug.

Thanks go to Olivier Cochard-Labbé for reporting a related
issue and discovering that the packet IVs were not properly random.

[1] https://svnweb.freebsd.org/changeset/base/r275732
[2] https://svnweb.freebsd.org/changeset/base/r285216
[3] https://defuse.ca/cbcmodeiv.htm

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
Received on Mon Jul 06 2015 - 17:30:47 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:58 UTC