VULHUB ™

OpenBSD's isakmpd daemon is said to be prone to multiple weaknesses when handling various IKE payloads. Specifically, four weaknesses have been discovered in various implementations of the daemon. The problems include: 1) Fails to enforce encrypted Quick Mode messages despite RFC specification. 2) Fails to encrypt Quick Mode payloads if the initiator did not encrypt their initial payload. 3) Does not enforce hash payloads when handling payloads other than those within Quick Mode. 4) Fails to verify the origin of Phase 2 delete messages. The exploitation of these various conditions could result in the unintential exposure of sensitive session initialization data, as well as the unauthorized deletion of Security Authorities. As further analysis of these weaknesses are carried out, it is likely that each will be given a separate BID. At this time, this BID will be updated and subsequently retired.

OpenBSD's isakmpd daemon is said to be prone to multiple weaknesses when handling various IKE payloads. Specifically, four weaknesses have been discovered in various implementations of the daemon. The problems include: 1) Fails to enforce encrypted Quick Mode messages despite RFC specification. 2) Fails to encrypt Quick Mode payloads if the initiator did not encrypt their initial payload. 3) Does not enforce hash payloads when handling payloads other than those within Quick Mode. 4) Fails to verify the origin of Phase 2 delete messages. The exploitation of these various conditions could result in the unintential exposure of sensitive session initialization data, as well as the unauthorized deletion of Security Authorities. As further analysis of these weaknesses are carried out, it is likely that each will be given a separate BID. At this time, this BID will be updated and subsequently retired.