CVE-2004-0218

Vulnerability

In OpenBSD 3.4 and earlier, the ISAKMP packet processing functions in the isakmpd daemon fail to properly handle payloads with a zero-length specified in the "Payload Length" field of the Generic Payload Header [1][2]. The ISAKMP standard requires a length field, but when set to zero, the daemon enters an infinite loop [2]. Affected versions include OpenBSD 3.4 and earlier, as well as OpenBSD-current as of March 17, 2004 [1].

Exploitation

An unauthenticated remote attacker can send a specially crafted ISAKMP packet containing a payload with the "Payload Length" field set to zero [1][2]. The Striker ISAKMP Protocol Test Suite, used by Rapid7, demonstrated the flaw [1]. No authentication or prior access is required; the attacker only needs network connectivity to the target system's ISAKMP service (typically UDP port 500) [1].

Impact

A successful attack causes isakmpd to enter an infinite loop, consuming 100% CPU and rendering the service unresponsive [1][2]. This results in a denial of service, preventing the establishment of IPsec security associations and disrupting encrypted communications [2]. The vulnerability does not lead to code execution or data disclosure.

Mitigation

OpenBSD released source code patches for -current, 3.4-stable, and 3.3-stable [1][2]. The patches are available from the OpenBSD errata page [3]. Affected systems should apply the patch immediately. The upcoming OpenBSD 3.5 release introduced privilege separation for isakmpd, which reduces the risk of similar flaws [1].