Bugzilla – Bug 815236
VUL-0: CVE-2013-2944: strongswan: ECDSA signature vulnerability
Last modified: 2013-10-14 15:46:42 UTC
EMBARGOED: Dear strongSwan partner, We have been informed by Kevin Wojtysiak about a security vulnerability in strongSwan that he discovered. If the strongSwan "openssl" plugin is used for ECDSA signature verification, an empty, zeroed or otherwise invalid signature is handled as a legitimate one. CVE-2013-2944 has been assigned for this vulnerability. Affected are only installations that have enabled and loaded the OpenSSL crypto backend (--enable-openssl). Builds using the default crypto backends are not affected. While this new ECDSA vulnerability is very similar to the RSA signature vulnerability CVE-2012-2388, it is not directly related. To exploit the vulnerability, a connection definition using ECDSA authentication is required. An attacker presenting a forged signature and/or certificate can authenticate as any legitimate user. strongSwan versions back to 4.3.5 and up to 5.0.3 are affected, using both IKEv1 and IKEv2. Injecting code is not possible by such an attack. The attached patch fixes the vulnerability and should apply to all affected versions. Please prepare updated releases and patch your installations, but do not yet publicly disclose any information about this vulnerability. We want to give you as a partner enough time to prepare new releases and will publicly disclose the vulnerability with an updated strongSwan release on Tuesday April 30, 12:00 noon UTC. Our apologies for having such a serious vulnerability in the strongSwan codebase and thank you for respecting our responsible disclosure procedure. Kind Regards Tobias Brunner strongSwan Developer
Created attachment 535157 [details] attached fix .
The SWAMPID for this issue is 52124. This issue was rated as moderate. Please submit fixed packages until 2013-04-30. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
gone public http://www.strongswan.org/strongswan-5.0.4-released-(cve-2013-2944).html
This is an autogenerated message for OBS integration: This bug (815236) was mentioned in https://build.opensuse.org/request/show/173968 Maintenance / https://build.opensuse.org/request/show/173969 Maintenance / https://build.opensuse.org/request/show/173970 Maintenance /
OK, fixes for all released distributions + factory are submitted.
This is an autogenerated message for OBS integration: This bug (815236) was mentioned in https://build.opensuse.org/request/show/173989 Factory / strongswan
openSUSE-SU-2013:0774-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 815236 CVE References: CVE-2013-2944 Sources used: openSUSE 12.1 (src): strongswan-4.5.3-5.11.1
openSUSE-SU-2013:0775-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 815236 CVE References: CVE-2013-2944 Sources used: openSUSE 12.2 (src): strongswan-4.6.4-2.8.1
openSUSE-SU-2013:0873-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 815236 CVE References: CVE-2013-2944 Sources used: openSUSE 12.3 (src): strongswan-5.0.1-4.4.1
openSUSE-SU-2013:0985-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 815236 CVE References: CVE-2013-2944 Sources used: openSUSE 11.4 (src): strongswan-4.5.0-6.52.1
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: strongswan, strongswan-debuginfo, strongswan-doc Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
released
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
I think this can be closed. Fixed RPMs should be there. Freel free to reopen if there's anything left.