Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 468008

Summary: net-misc/strongswan: ECDSA signature verification vulnerability (CVE-2013-2944)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: alexander, tobias.feldhaus
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2013-04-30 13:53:07 UTC
From ${URL} :

strongSwan 5.0.4 fixes a security vulnerability which affects all versions since 4.3.5 if the openssl plugin is used for ECDSA signature verification.

ECDSA signature verification vulnerability
This release fixes a security vulnerability (CVE-2013-2944) which exists in all versions since 4.3.5 and up to 5.0.3. If the openssl plugin is used for ECDSA signature verification an empty, zeroed or otherwise invalid signature is handled as a legitimate one. Both IKEv1 and IKEv2 are affected.

Affected are only installations that have enabled and loaded the OpenSSL crypto backend (--enable-openssl). Builds using the default crypto backends are not affected.

While this new ECDSA vulnerability is very similar to the RSA signature vulnerability CVE-2012-2388, it is not directly related.

A connection definition using ECDSA authentication is required to exploit this vulnerability. Given that, an attacker presenting a forged signature and/or certificate can authenticate as any legitimate user. Injecting code is not possible by such an attack.

To fix this issue please either update to 5.0.4 or apply the appropriate patch [1] yourself.

This vulnerability was discovered by Kevin Wojtysiak, an independent Security Consultant. We want to express our thanks to Kevin for notifying us in advance about this critical security issue.


Reproducible: Always
Comment 1 Sergey Popov gentoo-dev 2013-05-02 14:33:45 UTC
*** Bug 468300 has been marked as a duplicate of this bug. ***
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-05-09 12:33:51 UTC

*** This bug has been marked as a duplicate of bug 468504 ***