CVE-2005-0039 Information

Description

Certain configurations of IPsec when using Encapsulating Security Payload (ESP) in tunnel mode integrity protection at a higher layer or Authentication Header (AH) allow remote attackers to decrypt IPSec communications by modifying the outer packet in ways that cause plaintext data from the inner packet to be returned in ICMP messages as demonstrated using bit-flipping attacks and (1) Destination Address Rewriting (2) a modified header length that causes portions of the packet to be interpreted as IP Options or (3) a modified protocol field and source address.

Reference

http://marc.info/?l=bugtraq&m=111566201610350&w=2 http://secunia.com/advisories/17938 http://securitytracker.com/id?1015320 http://www.kb.cert.org/vuls/id/302220 http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en http://www.securityfocus.com/archive/1/407774 http://www.securityfocus.com/bid/13562 http://www.vupen.com/english/advisories/2005/0507 http://www.vupen.com/english/advisories/2005/2806