__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

          Security Vulnerabilities in HP UNIX IPSEC Tunnel ESP Mode
                 [Hewlett-Packard HPSBTU01217 SSRT5957 rev. 0]

August 10, 2005 19:00 GMT                                         Number P-272
______________________________________________________________________________
PROBLEM:       There are several potential security vulnerabilities on HP 
               Tru64 UNIX Systems using an IPsec Tunnel mode configuration 
               which uses ESP without authentication. 
PLATFORM:      HP Tru64 UNIX 5.1b-3 
               HP Tru64 UNIX 5.1B-2/PK4 
               HP-UX B.11.00, B.11.11, B.11.23 running IPSec
DAMAGE:        When running this configuration a remote attacker could force 
               an error such that a portion of a plain-text message can be 
               intercepted by the attacker. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. An attacker can modify sections of the 
ASSESSMENT:    IPsec packet and hence cause the endpoint to generate an error 
               on receipt of such modified packets. These errors are relayed 
               back to the sending host via the Internet Control Message 
               Protocol (ICMP); the messages directly reveal segments of the 
               header and payload of the IPsec packet in cleartext. An 
               attacker can then intercept the ICMP messages to retrieve the 
               data in plaintext. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/p-272.shtml 
 ORIGINAL BULLETIN:  visit Hewlet Packard subscription service for: 
                        HPSBTU01217 SSRT5957 rev. 0
 ADDITIONAL LINKS:   Visit Hewlett Packard subscription service for: 
                     HPSBUX02079 / SSRT5997 rev. 1
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CAN-2005-0039 
______________________________________________________________________________
REVISION HISTORY:
12/07/2005 - add a link to HP Security Bulletin HPSBUX02079 / SSRT5957 that 
             provides patches for the vulnerability described below for 
             HP-UX B.11.00, B.11.11, and B.11.23 (running IPSec). 


[***** Start Hewlett-Packard HPSBTU01217 SSRT5957 rev. 0 *****]


--------------------------------------------------------------------------------
 
HPSBTU01217     REVISION: 0 
 
SSRT5957 rev.0 - HP Tru64 UNIX IPSEC Tunnel ESP Mode Remote Unauthorized Disclosure of 
Encrypted Data
 

--------------------------------------------------------------------------------
NOTICE:   
 There are no restrictions for distribution of this Security Bulletin provided that it 
 remains complete and intact. 
 
 The information in this Security Bulletin should be acted upon as soon as possible. 
 
INITIAL RELEASE:    09 August 2005 
 

 
POTENTIAL SECURITY IMPACT:    remote unauthorized disclosure of encrypted data 
 
SOURCE:    Hewlett-Packard Company
HP Software Security Response Team 
 
VULNERABILITY SUMMARY:
Several potential security vulnerabilities have been reported on HP Tru64 UNIX systems 
using an IPsec tunnel mode configuration which uses ESP without authentication.  When 
running this configuration a remote attacker could force an error such that a portion 
of a plain-text message can be intercepted by the attacker.  
REFERENCES:    NISCC VU#004033 CAN-2005-0039 
 
SUPPORTED SOFTWARE VERSIONS*:  ONLY impacted versions are listed.
HP Tru64 UNIX 5.1B-3 
HP Tru64 UNIX 5.1B-2/PK4  
BACKGROUND:
From the NISCC Vulnerability report VU#4033:

A vulnerability affecting IPsec was identified by the Information Security Group (ISG) 
at Royal Holloway, University of London. The ISG outlines three attacks that applies to 
a special case of the usage of IPsec; this is where IPsec is configured to provide 
confidentiality only with no integrity protection in tunnel mode. Under this setup, an 
attacker can modify sections of the IPsec packet and hence cause the endpoint to generate 
an error on receipt of such modified packets. These errors are relay back to the sending 
host via the Internet Control Message Protocol (ICMP); because of the design of ICMP, these 
messages directly reveal segments of the header and payload of the IPsec packet in 
cleartext. An attacker can then intercept the ICMP messages to retrieve the data in plaintext.

For Further details see the NISCC web site at www.unirad.co.uk

For a PGP signed version of this bulletin please write to security-alert@hp.com 
 
RESOLUTION:
Until the correction is available in  a mainstream release patch kit, HP is releasing the 
following Early Release Patch (ERP) kits.

The ERP kits use dupatch and will not install over any installed Customer Specific Patches 
(CSPs) that have file intersections with this ERP.  Please contact your service provider for 
assistance if the ERP installation is blocked by any of your installed CSPs.

The fixes contained in the ERP kits are scheduled to be available in the following mainstream 
patch kit: 

    5.1B-4

Early Release Patches

The ERP delivers the following files:

     /usr/lib/nls/msg/en_US.ISO8859-1/ipsec.msg
     /usr/share/sysman/menu/tasks/ipsec/ipsec
     /usr/share/sysman/menu/tasks/ipsec/ipsec.cb.tcl

Note:  After installing this ERP, customers should run "/usr/sbin/sysman ipsec". If there are 
any unsafe IPsec connections, a warning message will be displayed.  

HP Tru64 UNIX 5.1B-3
ERP Kit Name:          T64KIT0026133-V51BB25-ES-20050801
General ITRC Patch Page:  http://www.itrc.hp.com/service/patch/mainPage.do
Kit Location: 
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT0026133-V51BB25-ES-20050801
MD5 checksum:
b3b2031de3279c5243e8beee63dfe45b

HP Tru64 UNIX  5.1B-2/PK4
ERP Kit Name:          T64KIT0026161-V51BB26-ES-20050804
General ITRC Patch Page:  http://www.itrc.hp.com/service/patch/mainPage.do
Kit Location: 
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT0026161-V51BB26-ES-20050804
MD5 checksum:
6c4f367937ddc0637e4faf341aab3514 

MD5 checksum:
b3b2031de3279c5243e8beee63dfe45b 
 
BULLETIN REVISION HISTORY:
4 August 2005
  Initial release  

SUPPORT: For further information, contact normal HP Services support channel. 
 
REPORT: To report a potential security vulnerability with any HP supported product, send Email 
to: security-alert@hp.com. It is strongly recommended that security related information being 
communicated to HP be encrypted using PGP, especially exploit information. To obtain the 
security-alert PGP key please send an e-mail message to security-alert@hp.com with the Subject 
of 'get key' (no quotes). 
 
SUBSCRIBE: To initiate a subscription to receive future HP Security Bulletins via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&
jumpid=in_SC-GEN__driverITRC&topiccode=ITRC 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your IRTC security bulletins and patches
     - check ALL categories for which alerts are required and continue. 
Under Step2: your IRTC operating systems
     - verify your operating system selections are checked and save. 

To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page Subscriber's choice for Business: sign-in.
On the Web page: Subscriber's Choice: your profile summary - use Edit Profile to update 
appropriate sections. 

To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/
secBullArchive.do 
 
* The Software Product Category that this Security Bulletin relates to is represented by the 
5th and 6th characters of the Bulletin number:
GN = HP General SW, MA = HP Management Agents, MI = Misc. 3rd party SW, MP = HP MPE/iX, NS = 
HP NonStop Servers, OV = HP OpenVMS, PI = HP Printing & Imaging, ST = HP Storage SW, TL = HP 
Trusted Linux, TU = HP Tru64 UNIX, UX = HP-UX, VV = HP Virtual Vault 
 
System management and security procedures must be reviewed frequently to maintain system 
integrity. HP is continually reviewing and enhancing the security features of software 
products to provide customers with current secure solutions. 
 
"HP is broadly distributing this Security Bulletin in order to bring to the attention of 
users of the affected HP products the important security information contained in this 
Bulletin. HP recommends that all users determine the applicability of this information to 
their individual situations and take appropriate action. HP does not warrant that this 
information is necessarily accurate or complete for all user situations and, consequently, 
HP will not be responsible for any damages resulting from user's use or disregard of the 
information provided in this Bulletin. To the extent permitted by law, HP disclaims all 
warranties, either express or implied, including the warranties of merchantability and 
fitness for a particular purpose, title and non-infringement." 
 

©Copyright 2005 Hewlett-Packard Development Company, L.P. 
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions 
contained herein. The information provided is provided "as is" without warranty of any kind. 
To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers 
will be liable for incidental, special or consequential damages including downtime cost; lost 
profits; damages relating to the procurement of substitute products or services; or damages 
for loss of data, or software restoration. The information in this document is subject to 
change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products 
referenced herein are trademarks of Hewlett-Packard Company in the United States and other 
countries. Other product and company names mentioned herein may be trademarks of their 
respective owners. 
 
 

[***** End Hewlett-Packard HPSBTU01217 SSRT5957 rev. 0 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Hewlett-Packard for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

P-262: Cisco IPv6 Crafted Packet Vulnerability
P-263: BrightStor ARCserve for MS SQL Server Buffer Overflow
P-264: Possible Security Issue with XView Text Clipboard
P-265: Microsoft Cumulative Update for Internet Explorer
P-266: Microsoft Plug and Play Vulnerability
P-267: Vulnerability in Printer Spooler Service
P-268: Vulnerability in Telephony Service
P-269: Vulnerabilities in Kerberos
P-270: GAIM Security Update
P-271: Ethereal Security Update