First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 238534
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 238534 depends on: Show dependency tree
Bug 238534 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-09-24 02:01 0000 
musecurity wrote:

strongSwan IKEv2 Denial-of-Service Vulnerability [MU-200809-01]
September 18, 2008

http://labs.mudynamics.com/advisories.html

Affected Products/Versions:

strongswan 4.2.6 and other branches

Product Overview:
strongSwan is an Open Source IPsec-based VPN Solution for the Linux operating
system.

www.strongswan.org

Vulnerability Details:

An IKE_SA_INIT message with a Key Exchange payload containing a large number of
NULL values can cause a crash of the IKEv2 charon daemon. The problem is 
strongSwan dereferences a NULL pointer returned by the mpz_export() function
of the GNU Multiprecision Library (GMP).

Vendor Response / Solution:

Fixed in strongSwan 4.2.7 and other branches.
Available from www.strongswan.org/

History:

September 16, 2008 - First contact with vendor
September 17, 2008 - Vendor releases fix

See also:

http://wiki.strongswan.org/changeset/4345

Credit:

This vulnerability was discovered by the Mu Dynamics research team.

------- Comment #1 From Robin Johnson 2008-09-24 02:48:54 0000 ------- 
4.2.7 in CVS.

------- Comment #2 From Robert Buchholz 2008-09-24 16:03:58 0000 ------- 
It seems this does not affect our stable 2.8.0, since the code is not present
there.

------- Comment #3 From Robert Buchholz 2008-10-21 14:35:31 0000 ------- 
======================================================
Name: CVE-2008-4551
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4551
Reference: MISC:http://labs.mudynamics.com/advisories/MU-200809-01.txt
Reference: CONFIRM:http://download.strongswan.org/CHANGES4.txt
Reference: BID:31291
Reference: URL:http://www.securityfocus.com/bid/31291
Reference: FRSIRT:ADV-2008-2660
Reference: URL:http://www.frsirt.com/english/advisories/2008/2660
Reference: SECTRACK:1020903
Reference: URL:http://www.securitytracker.com/id?1020903
Reference: SECUNIA:31963
Reference: URL:http://secunia.com/advisories/31963

strongSwan 4.2.6 and earlier allows remote attackers to cause a denial
of service (daemon crash) via an IKE_SA_INIT message with a large
number of NULL values in a Key Exchange payload, which triggers a NULL
pointer dereference for the return value of the mpz_export function in
the GNU Multiprecision Library (GMP).
First Last Prev Next    No search results available      Search page      Enter new bug