Bug 1101792 - (CVE-2018-5389) VUL-0: CVE-2018-5389: strongswan,openswan: IKE Protocol Vulnerability
(CVE-2018-5389)
VUL-0: CVE-2018-5389: strongswan,openswan: IKE Protocol Vulnerability
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Manuel Buil
Security Team bot
https://smash.suse.de/issue/211125/
CVSSv3:SUSE:CVE-2018-5389:6.7:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-19 08:29 UTC by Karol Babioch
Modified: 2022-04-12 12:16 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
abergmann: needinfo? (mt)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Marcus Meissner 2018-08-14 05:31:36 UTC
is public now:

https://www.strongswan.org/blog/2018/05/28/strongswan-vulnerability-(cve-2018-5388).html


strongSwan Vulnerability (CVE-2018-5388)

Posted on May 28, 2018 by tobias  | Tags: security fix, 5.6.x, 5.5.x, 5.4.x, 5.3.x, 5.2.x, 5.1.x, 5.0.x, 4.x

A denial-of-service vulnerability in the stroke plugin was discovered in strongSwan. All versions are affected in certain configurations.

An independent researcher found a bug in the stroke plugin that may lead to a denial-of-service attack or even local code execution.
In the default configuration root privileges are required to trigger the vulnerability so this should generally not be an issue. However, all versions are potentially affected.
Insufficient Input Validation in stroke Plugin

The stroke plugin did not verify the message length read from its socket before allocating memory and reading the message. Unless a group is configured, root privileges are required to access that socket, so in the default configuration this is not an issue.

CVE-2018-5388 has been assigned for this vulnerability.

Messages sent via stroke are basically C structs. The first member is the two byte length of the complete message. So the stroke plugin first reads those two bytes, allocates memory, and then reads the rest of the message. Unfortunately, it did not enforce a minimum value for the read length, so it could be shorter than the stroke_msg_t struct. This may result in a crash when the plugin tries to access struct members that point to memory that's not actually part of the allocated buffer.

Before 5.1.0, MSG_PEEK was used to peek the message length and the complete message was read later. With 5.1.0 this was changed and since then there is additionally an integer underflow if the supplied message length is 0 or 1 (the 2 bytes already read are subtracted from the read message length) resulting in a huge length passed to recv() (the length is passed as size_t).
This is technically a heap buffer overflow (the allocated buffer has a size of 1 or 2 bytes, the data is written after it) so the possibility of local code execution with the goal of privilege escalation can't be ruled out.
Mitigation

It's important to note that writing data to the stroke plugin's socket requires root privileges in the default configuration.

Only if a group is configured are users who are a member of that group then able to write data to the socket and crash the daemon via this vulnerability (however, they could also just terminate all SAs in a loop to achieve a DoS).

The just released strongSwan 5.6.3 fixes this vulnerability. For older releases we provide patches that fix the vulnerability in the respective versions and should apply with appropriate hunk offsets (please note that patches for versions < 4.4.0 are not provided).
Comment 8 Marcus Meissner 2020-03-26 14:39:59 UTC
SLE15 has now 5.8, so no longer affected.
Comment 9 Gianluca Gabrielli 2021-10-14 08:39:55 UTC
Hi Manuel, there are  missing submissions for:

 - SUSE:SLE-11:Update/openswan
 - SUSE:SLE-11-SP1:Update/strongswan
 - SUSE:SLE-12:Update/strongswan

Can you please submit them?
Comment 10 Gabriele Sonnu 2022-04-12 12:16:33 UTC
Done.