CVE-2005-0039 - Vulnerability Details - OpenCVE

Certain configurations of IPsec, when using Encapsulating Security Payload (ESP) in tunnel mode, integrity protection at a higher layer, or Authentication Header (AH), allow remote attackers to decrypt IPSec communications by modifying the outer packet in ways that cause plaintext data from the inner packet to be returned in ICMP messages, as demonstrated using bit-flipping attacks and (1) Destination Address Rewriting, (2) a modified header length that causes portions of the packet to be interpreted as IP Options, or (3) a modified protocol field and source address.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nissc	Ipsec

Configuration 1 [-]

cpe:2.3:a:nissc:ipsec:1.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://marc.info/?l=bugtraq&m=111566201610350&w=2
http://secunia.com/advisories/17938
http://securitytracker.com/id?1015320
http://www.kb.cert.org/vuls/id/302220
http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en
http://www.securityfocus.com/archive/1/407774
http://www.securityfocus.com/bid/13562
http://www.vupen.com/english/advisories/2005/0507
http://www.vupen.com/english/advisories/2005/2806

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2005-05-10T04:00:00

Updated: 2024-08-07T20:57:40.989Z

Reserved: 2005-01-07T00:00:00

Link: CVE-2005-0039

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2005-05-10T04:00:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2005-0039

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2005-05-09T00:00:00", "descriptions": [{"lang": "en", "value": "Certain configurations of IPsec, when using Encapsulating Security Payload (ESP) in tunnel mode, integrity protection at a higher layer, or Authentication Header (AH), allow remote attackers to decrypt IPSec communications by modifying the outer packet in ways that cause plaintext data from the inner packet to be returned in ICMP messages, as demonstrated using bit-flipping attacks and (1) Destination Address Rewriting, (2) a modified header length that causes portions of the packet to be interpreted as IP Options, or (3) a modified protocol field and source address."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-10-17T13:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "HPSBTU01217", "tags": ["vendor-advisory", "x_refsource_HP"], "url": "http://www.securityfocus.com/archive/1/407774"}, {"tags": ["x_refsource_MISC"], "url": "http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en"}, {"name": "20050509 NISCC Vulnerability Advisory IPSEC - 004033", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=111566201610350&w=2"}, {"name": "SSRT5957", "tags": ["vendor-advisory", "x_refsource_HP"], "url": "http://www.securityfocus.com/archive/1/407774"}, {"name": "ADV-2005-2806", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2005/2806"}, {"name": "13562", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/13562"}, {"name": "17938", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/17938"}, {"name": "ADV-2005-0507", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2005/0507"}, {"name": "1015320", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1015320"}, {"name": "VU#302220", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/302220"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2005-0039", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Certain configurations of IPsec, when using Encapsulating Security Payload (ESP) in tunnel mode, integrity protection at a higher layer, or Authentication Header (AH), allow remote attackers to decrypt IPSec communications by modifying the outer packet in ways that cause plaintext data from the inner packet to be returned in ICMP messages, as demonstrated using bit-flipping attacks and (1) Destination Address Rewriting, (2) a modified header length that causes portions of the packet to be interpreted as IP Options, or (3) a modified protocol field and source address."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "HPSBTU01217", "refsource": "HP", "url": "http://www.securityfocus.com/archive/1/407774"}, {"name": "http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en", "refsource": "MISC", "url": "http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en"}, {"name": "20050509 NISCC Vulnerability Advisory IPSEC - 004033", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=111566201610350&w=2"}, {"name": "SSRT5957", "refsource": "HP", "url": "http://www.securityfocus.com/archive/1/407774"}, {"name": "ADV-2005-2806", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2005/2806"}, {"name": "13562", "refsource": "BID", "url": "http://www.securityfocus.com/bid/13562"}, {"name": "17938", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/17938"}, {"name": "ADV-2005-0507", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2005/0507"}, {"name": "1015320", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1015320"}, {"name": "VU#302220", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/302220"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T20:57:40.989Z"}, "title": "CVE Program Container", "references": [{"name": "HPSBTU01217", "tags": ["vendor-advisory", "x_refsource_HP", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/407774"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en"}, {"name": "20050509 NISCC Vulnerability Advisory IPSEC - 004033", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=111566201610350&w=2"}, {"name": "SSRT5957", "tags": ["vendor-advisory", "x_refsource_HP", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/407774"}, {"name": "ADV-2005-2806", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2005/2806"}, {"name": "13562", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/13562"}, {"name": "17938", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/17938"}, {"name": "ADV-2005-0507", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2005/0507"}, {"name": "1015320", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1015320"}, {"name": "VU#302220", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/302220"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2005-0039", "datePublished": "2005-05-10T04:00:00", "dateReserved": "2005-01-07T00:00:00", "dateUpdated": "2024-08-07T20:57:40.989Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nissc:ipsec:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9BA6334A-DD3E-45AC-B908-73990050BF1F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Certain configurations of IPsec, when using Encapsulating Security Payload (ESP) in tunnel mode, integrity protection at a higher layer, or Authentication Header (AH), allow remote attackers to decrypt IPSec communications by modifying the outer packet in ways that cause plaintext data from the inner packet to be returned in ICMP messages, as demonstrated using bit-flipping attacks and (1) Destination Address Rewriting, (2) a modified header length that causes portions of the packet to be interpreted as IP Options, or (3) a modified protocol field and source address."}], "id": "CVE-2005-0039", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2005-05-10T04:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=111566201610350&w=2"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/17938"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1015320"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/302220"}, {"source": "cve@mitre.org", "url": "http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/407774"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/407774"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/13562"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2005/0507"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2005/2806"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://marc.info/?l=bugtraq&m=111566201610350&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/17938"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securitytracker.com/id?1015320"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/302220"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/407774"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/407774"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/13562"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2005/0507"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2005/2806"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}