Bug 847506 - (CVE-2013-6075) VUL-0: CVE-2013-6075: strongswan DoS and authorization bypass vulnerability via crafted ID payload
(CVE-2013-6075)
VUL-0: CVE-2013-6075: strongswan DoS and authorization bypass vulnerability v...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp3:54899 maint...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-24 15:40 UTC by Victor Pereira
Modified: 2013-12-23 19:04 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
suggested patch (817 bytes, patch)
2013-10-24 15:40 UTC, Victor Pereira
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 6 Bernhard Wiedemann 2013-11-01 13:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (847506) was mentioned in
https://build.opensuse.org/request/show/205538 12.2 / strongswan
https://build.opensuse.org/request/show/205539 12.3 / strongswan
https://build.opensuse.org/request/show/205541 Factory / strongswan
Comment 8 Bernhard Wiedemann 2013-11-04 11:00:20 UTC
This is an autogenerated message for OBS integration:
This bug (847506) was mentioned in
https://build.opensuse.org/request/show/205685 Maintenance /
Comment 9 Marcus Meissner 2013-11-06 08:12:24 UTC
public

http://www.strongswan.org/blog/2013/11/01/strongswan-denial-of-service-vulnerability-%28cve-2013-6075%29.html



strongSwan Denial-of-Service Vulnerability and Potential Authorization Bypass (CVE-2013-6075)

Posted on Nov 01, 2013 by tobias  | Tags: 4.x, 5.0.x, 5.1.x, security fix

A DoS vulnerability and potential authorization bypass triggered by a crafted ID_DER_ASN1_DN ID payload was discovered in strongSwan. All versions since 4.3.3 are affected.

A crash report from one of our partners lead to the discovery of a DoS vulnerability and potential authorization bypass in strongSwan (CVE-2013-6075). Affected are strongSwan versions 4.3.3 and newer, up to 5.1.0.

The bug can be triggered by a crafted ID_DER_ASN1_DN ID payload and is caused by an insufficient length check when comparing such identities. There are two possible attack vectors targeting this vulnerability.
DoS Attack

A crafted ID payload may be sent to cause memory reads outside the specified boundaries or a NULL dereference. As a result the IKE daemon might crash. As no write operation is performed, it is unlikely that injecting code is possible through this attack.
Authorization Bypass

With a crafted ID payload, an attacker might impersonate a different user and get access to VPN connection profiles it wouldn't have to. This requires, however, that a user gets successfully authenticated with appropriate credentials. It seems quite difficult to construct such an attack, but we can't rule out the possibility at this time.
Fix

The just released strongSwan 5.1.1 fixes this vulnerability. For older releases we provide a patch that fixes the vulnerability in versions 4.3.3 and newer and should apply to all version.
Comment 10 Swamp Workflow Management 2013-11-09 09:05:23 UTC
openSUSE-SU-2013:1646-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 847506
CVE References: CVE-2013-6075
Sources used:
openSUSE 12.3 (src):    strongswan-5.0.1-4.12.1
Comment 11 Swamp Workflow Management 2013-11-09 20:04:37 UTC
openSUSE-SU-2013:1651-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 840826,847506
CVE References: CVE-2013-6075
Sources used:
openSUSE 11.4 (src):    strongswan-4.5.0-6.60.1
Comment 12 Bernhard Wiedemann 2013-11-21 05:00:47 UTC
This is an autogenerated message for OBS integration:
This bug (847506) was mentioned in
https://build.opensuse.org/request/show/207810 Evergreen:11.2:Test / strongswan
Comment 13 Swamp Workflow Management 2013-12-12 16:49:53 UTC
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 14 Swamp Workflow Management 2013-12-20 11:04:33 UTC
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 15 Swamp Workflow Management 2013-12-20 12:50:22 UTC
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 16 Swamp Workflow Management 2013-12-20 16:04:42 UTC
SUSE-SU-2013:1866-2: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 833278,840826,847506
CVE References: CVE-2013-5018
Sources used:
SUSE Linux Enterprise Server 11 SP2 for VMware (src):    strongswan-4.4.0-6.21.1
SUSE Linux Enterprise Server 11 SP2 (src):    strongswan-4.4.0-6.21.1
SUSE Linux Enterprise Desktop 11 SP2 (src):    strongswan-4.4.0-6.21.1
Comment 17 Sebastian Krahmer 2013-12-23 10:38:10 UTC
done
Comment 18 Swamp Workflow Management 2013-12-23 19:04:52 UTC
SUSE-SU-2013:1866-3: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 833278,840826,847506
CVE References: CVE-2013-5018
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    strongswan-4.4.0-6.15.1