Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 499870 (CVE-2013-6466) - net-misc/openswan: IKEv2 Payload NULL Pointer Dereference Denial of Service Vulnerability (CVE-2013-6466)
Summary: net-misc/openswan: IKEv2 Payload NULL Pointer Dereference Denial of Service V...
Status: RESOLVED FIXED
Alias: CVE-2013-6466
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/56613/
Whiteboard: B3 [glsa],Pending removal: 2015-04-19
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2014-01-31 08:49 UTC by Agostino Sarubbo
Modified: 2015-03-20 23:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-01-31 08:49:10 UTC
From ${URL} :

Description

A vulnerability has been reported in Openswan, which can be exploited by malicious people to cause a DoS 
(Denial of Service).

The vulnerability is caused due to a NULL pointer dereference error when handling IKEv2 payloads.

For more information:
SA56420

The vulnerability is reported in version 2.6.39 and prior.


Solution:
No official solution is currently available.

Provided and/or discovered by:
Originally reported by Iustina Melinte in libreswan.

Original Advisory:
https://libreswan.org/security/CVE-2013-6467/CVE-2013-6467.txt


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 14:05:05 UTC
CVE-2013-6466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6466):
  Openswan 2.6.39 and earlier allows remote attackers to cause a denial of
  service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets
  that lack expected payloads.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 14:05:05 UTC
CVE-2013-6466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6466):
  Openswan 2.6.39 and earlier allows remote attackers to cause a denial of
  service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets
  that lack expected payloads.
Comment 3 Agostino Sarubbo gentoo-dev 2014-02-20 15:49:57 UTC
from: http://www.openwall.com/lists/oss-security/2014/02/18/1

openswan-2.6.40 (released Feb 14) was supposed to address CVE-2013-6466 (which also affected libreswan as per CVE-2013-6467) but the fix is incomplete and
openswan can still crashed using mangled or missing IKEv2 payloads.

libreswan-3.8 that properly addressed this issue was released on January 15. Exploit code has been available as part of the libreswan test suite at
https://github.com/libreswan/libreswan/tree/master/testing/pluto/ikev2-15-fuzzer


Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007f6f17b89477 in process_v2_packet (mdp=0x7f6f17e504a0 <md.16140>)
    at /root/openswan-2.6.40/programs/pluto/ikev2.c:541
#2  0x00007f6f17ba5c6f in process_packet (mdp=<optimized out>) at /root/openswan-2.6.40/programs/pluto/demux.c:175
#3  0x00007f6f17ba5dbc in comm_handle (ifp=ifp@...ry=0x7f6f182abb30) at /root/openswan-2.6.40/programs/pluto/demux.c:220
#4  0x00007f6f17b73bc8 in call_server () at /root/openswan-2.6.40/programs/pluto/server.c:764
#5  0x00007f6f17b5b46d in main (argc=29, argv=0x7fffc5817a18) at /root/openswan-2.6.40/programs/pluto/plutomain.c:1110
(gdb) f 1
#1  0x00007f6f17b89477 in process_v2_packet (mdp=0x7f6f17e504a0 <md.16140>)
    at /root/openswan-2.6.40/programs/pluto/ikev2.c:541
541		stf = (svm->processor)(md);
(gdb) p svm->processor
$2 = (state_transition_fn *) 0x0
Comment 4 Mike Gilbert gentoo-dev 2014-02-20 15:59:01 UTC
I think I would rather migrate users over to libreswan. Obviously it would need to be stabilized first.

Would that mean last-riting openswan?
Comment 5 Mike Gilbert gentoo-dev 2014-06-13 09:12:34 UTC
+# Mike Gilbert <floppym@gentoo.org> (13 Jun 2013)
+# Masked due to security bug 499870.
+# Please migrate to net-misc/libreswan.
+# If you are a Gentoo developer, feel free to pick up maintenence of openswan
+# and remove this mask after resolving the security issue.
+net-misc/openswan
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2014-06-16 10:19:19 UTC
GLSA vote: yes.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 01:21:02 UTC
GLSA Vote: Yes
Created a New GLSA request.
Comment 9 Pacho Ramos gentoo-dev 2015-01-27 09:04:52 UTC
Fedora cleaned it long time ago as it's replaced by net-misc/libreswan
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-03-20 23:58:44 UTC
We released a GLSA advising end of support as part of GLSA 201411-07