Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 272276 - <net-misc/strongswan-4.2.15 Two DoS vulnerabilities (CVE-2009-{1957,1958})
Summary: <net-misc/strongswan-4.2.15 Two DoS vulnerabilities (CVE-2009-{1957,1958})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://lists.strongswan.org/pipermai...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-02 14:57 UTC by Robert Buchholz (RETIRED)
Modified: 2009-07-01 16:15 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-06-02 14:57:05 UTC 
Quoting upstream:
Orange Labs IKEv2 fuzzer discovers two DoS vulnerabilities
----------------------------------------------------------

Two DoS vulnerabilities in the charon daemon were discovered by
fuzzing techniques:

1) Receiving a malformed IKE_SA_INIT request leaves an incomplete state
   which causes a crash of the IKEv2 charon daemon while dereferencing
   a null pointer if a subsequent CREATE_CHILD_SA request for the
   same connection is received.

2) Receiving an IKE_AUTH request with either a missing TSi or TSr
   traffic selector payload causes a crash of the IKEv2 charon daemon
   because the null pointer checks for TSi and TSr prior to deletion
   were swapped by mistake.

The IKEv2 fuzzer used was developed by the Orange Labs vulnerability
research team. The tool was initially written by Gabriel Campana and
is now maintained by Laurent Butti.

All strongSwan versions from 4.1.0 up to 4.3.0 are affected. Either
apply the two security patches

http://download.strongswan.org/patches/03_invalid_ike_state_patch/

http://download.strongswan.org/patches/04_swapped_ts_check_patch/

or upgrade to strongSwan 4.3.1 or 4.2.15.
Comment 1 Milan Holzäpfel 2009-06-06 22:51:16 UTC 
Copying strongswan-4.2.8.ebuild to strongswan-4.3.1.ebuild works on AMD64 here.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-06-07 15:04:26 UTC 
+*strongswan-4.2.15 (07 Jun 2009)
+
+  07 Jun 2009; Robert Buchholz <rbu@gentoo.org> +strongswan-4.2.15.ebuild:
+  Version bump, fixes security bug 264346 and 272276. Remove old warning in
+  the code, fix dependencies and configure options. Comment in user and group
+  specification again. Added some TODOs.
+
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-07-01 16:15:20 UTC 
CVE-2009-1957 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1957):
  charon/sa/ike_sa.c in the charon daemon in strongSWAN before 4.3.1
  allows remote attackers to cause a denial of service (NULL pointer
  dereference and crash) via an invalid IKE_SA_INIT request that
  triggers "an incomplete state," followed by a CREATE_CHILD_SA request.

CVE-2009-1958 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1958):
  charon/sa/tasks/child_create.c in the charon daemon in strongSWAN
  before 4.3.1 switches the NULL checks for TSi and TSr payloads, which
  allows remote attackers to cause a denial of service via an IKE_AUTH
  request without a (1) TSi or (2) TSr traffic selector.