Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 468008 - net-misc/strongswan: ECDSA signature verification vulnerability (CVE-2013-2944)
Summary: net-misc/strongswan: ECDSA signature verification vulnerability (CVE-2013-2944)
Status: RESOLVED DUPLICATE of bug 468504
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.strongswan.org/blog/2013/0...
Whiteboard:
Keywords:
: 468300 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-04-30 13:53 UTC by Thomas Deutschmann
Modified: 2013-05-09 12:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev 2013-04-30 13:53:07 UTC
From ${URL} :

Summary:
strongSwan 5.0.4 fixes a security vulnerability which affects all versions since 4.3.5 if the openssl plugin is used for ECDSA signature verification.


ECDSA signature verification vulnerability
==========================================
This release fixes a security vulnerability (CVE-2013-2944) which exists in all versions since 4.3.5 and up to 5.0.3. If the openssl plugin is used for ECDSA signature verification an empty, zeroed or otherwise invalid signature is handled as a legitimate one. Both IKEv1 and IKEv2 are affected.

Affected are only installations that have enabled and loaded the OpenSSL crypto backend (--enable-openssl). Builds using the default crypto backends are not affected.

While this new ECDSA vulnerability is very similar to the RSA signature vulnerability CVE-2012-2388, it is not directly related.

A connection definition using ECDSA authentication is required to exploit this vulnerability. Given that, an attacker presenting a forged signature and/or certificate can authenticate as any legitimate user. Injecting code is not possible by such an attack.

To fix this issue please either update to 5.0.4 or apply the appropriate patch [1] yourself.

This vulnerability was discovered by Kevin Wojtysiak, an independent Security Consultant. We want to express our thanks to Kevin for notifying us in advance about this critical security issue.


References:
===========
[1] http://download.strongswan.org/patches/10_openssl_ecdsa_signature_patch/

Reproducible: Always
Comment 1 Sergey Popov gentoo-dev 2013-05-02 14:33:45 UTC
*** Bug 468300 has been marked as a duplicate of this bug. ***
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-05-09 12:33:51 UTC

*** This bug has been marked as a duplicate of bug 468504 ***