Bug 57153 (CVE-2004-0590)

Summary: VUL-0: CVE-2004-0590: freeswan: PKCS#7 cert vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Kurt Garloff <garloff>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0590: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 50256    
Attachments: pkcs7_vulnerability.patch
pkcs7_vulnerability.patch2
sles patchinfo /work/src/done/PATCHINFO/freeswan.patch
box /work/src/done/PATCHINFO/freeswan.IK3049

Description Kurt Garloff 2004-06-17 20:12:52 UTC 
Andreas Steffen writes: 
8<----------------------------------------------------------------- 
[-- Attachment #1 [details] --] 
[-- Type: text/plain, Encoding: 8bit, Size: 2.8K --] 
 
Hello Thomas, 
 
you are right. The support of PKCS#7 wrapped certificates as required 
e.g. by Windows XP with multi-tier trust chains introduced the 
vulnerability that you describe in your posting. The proposed fix is simple. 
We will not accept any end certificates with identical subject and 
issuer distinguished names before the trust chain verification loop 
is entered. 
 
I have appended a patch which fixes the vulnerability for openswan-2.x, 
strongswan-2.x and all X.509 patches for freeswan-2.x. A similar patch 
will be made available for freeswan-1.99 based releases. The most 
recent versions of openswan, strongswan and the X.509 patches will be 
updated. 
 
Thanks for making me aware of this serious vulnerability. 
 
Andreas 
 
Thomas Walpuski wrote: 
>It looks like there is an authentication bug in strongSwan/Openswan.                            
>(I've not verified the issue on a running system, yet.)                                         
>                                                                                                
>If an attacker sends a his (fake) CA certificate with issuer A and                              
>subject B and user certificate with issuer B and subject B signed by his                        
>CA wrapped in PKCS#7 as certificate payload the following happens:                              
>                                                                                                
>  0 ...                                                                                         
>  1 decode_cert() lets parse_pkcs7_cert() parse the certificate payload                         
>    and passes the result to store_x509certs().                                                 
>  2.1 store_x509certs() walks through the CA certificate(s), ensures                            
>      that it is no root CA (subject /= issuer) and enters it to the CA                         
>      certificate storage. => The attacker's CA certificate makes it way                        
>      into the CA certificate storage.                                                          
>  2.2 store_x509certs() walks through all certificates and adds their                           
>      public key and identity to the key storage _if_ they can be                               
>      verified:                                                                                 
>                                                                                                
>        verify_x509cert() checks whether the user certificate is in its                         
>       validity period, gets the issuer's certificate and checks the                            
>       user certificate's signature. => The attacker gets his user                              
>       certificate verified, because he already got his CA certificate                          
>       in.                                                                                      
>       If the user certificates issuer and subject are the same,                                
>       verify_x509cert() returns TRUE indicating successful certificate                         
>       verification, otherwise the issuer certificate is checked. =>                            
>       In the attacker's user certificate subject = issuer, ...                                 
>                                                                                                
>With a carefully crafted certificate payload anyone can "authenticate"                          
>against strongSwan/Openswan.                                                                    
>                                                                                                
>What do you think? Have I missed something substantial?                                         
>                                                                                                
>BTW: Sorry for posting you mailing lists. I didn't found any security                           
>contact information.                                                                            
>                                                                                                
>Thomas Walpuski                                                                                 
 
======================================================================= 
Andreas Steffen                   e-mail: andreas.steffen@strongsec.com 
strongSec GmbH                    home:   http://www.strongsec.com 
Alter Zürichweg 20                phone:  +41 1 730 80 64 
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65 
==========================================[strong internet security]=== 
 
8<----------------------------------------------------------------- 
 
At least SL8.1 -- 9.1 and SLES8+9 are affected.
Comment 1 Kurt Garloff 2004-06-17 20:12:52 UTC 
<!-- SBZ_reproduce  -->
Use your imagination.
Comment 2 Kurt Garloff 2004-06-17 20:14:31 UTC 
Created attachment 21306 [details]
pkcs7_vulnerability.patch

Fix for X.509-1.xx (open/strong/freeswan2).
Comment 3 Kurt Garloff 2004-06-24 22:11:58 UTC 
Security team: This went over the ipsec developer's list. 
I assume that means this is public. Any CAN number?
Comment 4 Kurt Garloff 2004-06-24 22:21:21 UTC 
I asked Andreas  for a patch to X509-0.9.x. (SL81-90, SLES8) 
Updated package for SLES9 submitted.
Comment 5 Kurt Garloff 2004-06-25 00:58:33 UTC 
Package for SLES9 has been checked in. Remains the YOU update for SL91 
and the patches + updates for SL81--90 and SLES8. 
I'll be on vacation the next two weeks, so reassign to lnussel.
Comment 6 Ludwig Nussel 2004-06-25 16:15:40 UTC 
Created attachment 21661 [details]
pkcs7_vulnerability.patch2

updated patches from andreas steffen for freeswan 2.x and 1.9x
Comment 7 Thomas Biege 2004-06-25 19:04:34 UTC 
CAN-2004-0590
Comment 8 Ludwig Nussel 2004-06-25 20:11:05 UTC 
Created attachment 21671 [details]
sles patchinfo /work/src/done/PATCHINFO/freeswan.patch
Comment 9 Ludwig Nussel 2004-06-25 20:11:22 UTC 
Created attachment 21672 [details]
box /work/src/done/PATCHINFO/freeswan.IK3049
Comment 10 Ludwig Nussel 2004-06-25 21:36:27 UTC 
packages submitted. I did some basic test on all of them except for 8.0.
Comment 11 Thomas Biege 2004-07-15 19:59:50 UTC 
packages were approved.
Comment 12 Thomas Biege 2009-10-13 20:26:39 UTC 
CVE-2004-0590: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)