Summary: | net-misc/openswan: IKEv2 Payload NULL Pointer Dereference Denial of Service Vulnerability (CVE-2013-6466) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | floppym, treecleaner |
Priority: | Normal | Keywords: | PMASKED |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/56613/ | ||
Whiteboard: | B3 [glsa],Pending removal: 2015-04-19 | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-01-31 08:49:10 UTC
CVE-2013-6466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6466): Openswan 2.6.39 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. CVE-2013-6466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6466): Openswan 2.6.39 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. from: http://www.openwall.com/lists/oss-security/2014/02/18/1 openswan-2.6.40 (released Feb 14) was supposed to address CVE-2013-6466 (which also affected libreswan as per CVE-2013-6467) but the fix is incomplete and openswan can still crashed using mangled or missing IKEv2 payloads. libreswan-3.8 that properly addressed this issue was released on January 15. Exploit code has been available as part of the libreswan test suite at https://github.com/libreswan/libreswan/tree/master/testing/pluto/ikev2-15-fuzzer Program received signal SIGSEGV, Segmentation fault. 0x0000000000000000 in ?? () (gdb) bt #0 0x0000000000000000 in ?? () #1 0x00007f6f17b89477 in process_v2_packet (mdp=0x7f6f17e504a0 <md.16140>) at /root/openswan-2.6.40/programs/pluto/ikev2.c:541 #2 0x00007f6f17ba5c6f in process_packet (mdp=<optimized out>) at /root/openswan-2.6.40/programs/pluto/demux.c:175 #3 0x00007f6f17ba5dbc in comm_handle (ifp=ifp@...ry=0x7f6f182abb30) at /root/openswan-2.6.40/programs/pluto/demux.c:220 #4 0x00007f6f17b73bc8 in call_server () at /root/openswan-2.6.40/programs/pluto/server.c:764 #5 0x00007f6f17b5b46d in main (argc=29, argv=0x7fffc5817a18) at /root/openswan-2.6.40/programs/pluto/plutomain.c:1110 (gdb) f 1 #1 0x00007f6f17b89477 in process_v2_packet (mdp=0x7f6f17e504a0 <md.16140>) at /root/openswan-2.6.40/programs/pluto/ikev2.c:541 541 stf = (svm->processor)(md); (gdb) p svm->processor $2 = (state_transition_fn *) 0x0 I think I would rather migrate users over to libreswan. Obviously it would need to be stabilized first. Would that mean last-riting openswan? +# Mike Gilbert <floppym@gentoo.org> (13 Jun 2013) +# Masked due to security bug 499870. +# Please migrate to net-misc/libreswan. +# If you are a Gentoo developer, feel free to pick up maintenence of openswan +# and remove this mask after resolving the security issue. +net-misc/openswan GLSA vote: yes. GLSA Vote: Yes Created a New GLSA request. Seems openswan developers fix this bug: https://github.com/xelerance/Openswan/blob/master/CHANGES See at: https://github.com/xelerance/Openswan/commit/b36d3109d05f1b069a0a712de7777cef6f6a48e4 Fedora cleaned it long time ago as it's replaced by net-misc/libreswan We released a GLSA advising end of support as part of GLSA 201411-07 |