Vigil@nce - OpenBSD: denial of service via pfsync with IPSEC
May 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When the OpenBSD kernel is compiled with IPSEC, the replication of
tunnels by pfsync stops the system.
Severity: 2/4
Creation date: 27/04/2010
DESCRIPTION OF THE VULNERABILITY
The pfsync feature synchronizes the state of a Packet Filter
firewall between two computers, in order to provide high
availability.
When the kernel is compiled with the IPSEC support, information
for each tunnel is stored in a TDB (Tunnel Descriptor Block). The
pfsync_in_tdb() function of the src/sys/net/if_pfsync.c file
synchronizes TDB between two computers.
However, a typographic error in pfsync_in_tdb() forces a read at
an invalid memory address when there are several TDB.
When the OpenBSD kernel is compiled with IPSEC, the replication of
tunnels by pfsync therefore stops the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenBSD-denial-of-service-via-pfsync-with-IPSEC-9614