Bug 876449 - (CVE-2014-2891) VUL-0: CVE-2014-2891: strongswan DoS
(CVE-2014-2891)
VUL-0: CVE-2014-2891: strongswan DoS
Status: VERIFIED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/98573/
maint:released:sle11-sp1:57389 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-06 07:17 UTC by Sebastian Krahmer
Modified: 2015-07-10 17:08 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
strongswan-4.3.3-5.1.1_asn1_unwrap.patch (847 bytes, patch)
2014-05-14 06:59 UTC, Marius Tomaschewski
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2014-05-06 22:00:20 UTC
bugbot adjusting priority
Comment 3 Marius Tomaschewski 2014-05-14 06:59:28 UTC
Created attachment 589832 [details]
strongswan-4.3.3-5.1.1_asn1_unwrap.patch

Based on a crash report from one of our users we found that strongSwan
versions before 5.1.2 are susceptible to a DoS vulnerability.  Affected
are strongSwan versions 4.3.3 and newer, up to 5.1.1.

CVE-2014-2891 has been assigned for this vulnerability.

The bug can be triggered by a crafted ID_DER_ASN1_DN ID payload and is
caused by a NULL-pointer dereference when such identities are parsed.
If the data of the ID payload is exactly two bytes long and the second
byte ranges between 0x81 and 0x84 (or 0x88 depending on sizeof(size_t))
logging or comparing the identity will crash the IKE daemon.

This issue was fixed with 5.1.2 [1] but it went unnoticed that it can be
exploited remotely in older releases.

Remote code execution is not possible due to this vulnerability.

The attached patch fixes the vulnerability in all affected strongSwan
versions and should apply with appropriate hunk offsets.

Please prepare updated releases and patch your installations, but do not
yet publicly disclose any information about this vulnerability.  We want
to give you as a partner enough time to prepare new releases and will
publicly disclose the vulnerability on May 5th, 12:00 noon UTC.

Our apologies for the inconvenience.

Kind Regards
Tobias Brunner
strongSwan Developer

[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7817d88e1

The attached patch is available at:
http://download.strongswan.org/patches/16_asn1_unwrap_patch/
Comment 7 Bernhard Wiedemann 2014-05-14 08:00:22 UTC
This is an autogenerated message for OBS integration:
This bug (876449) was mentioned in
https://build.opensuse.org/request/show/233820 12.3 / strongswan
https://build.opensuse.org/request/show/233823 13.1 / strongswan
Comment 8 Swamp Workflow Management 2014-05-14 08:18:35 UTC
The SWAMPID for this issue is 57388.
This issue was rated as moderate.
Please submit fixed packages until 2014-05-28.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 9 Ruediger Oertel 2014-05-21 11:16:52 UTC
the SLE-10-SP4 version has been submitted but there is a patchinfo waiting for the SP3 package ...
Comment 10 Swamp Workflow Management 2014-05-22 10:04:33 UTC
openSUSE-SU-2014:0697-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 870572,876449
CVE References: CVE-2014-2338,CVE-2014-2891
Sources used:
openSUSE 13.1 (src):    strongswan-5.1.1-4.1
openSUSE 12.3 (src):    strongswan-5.0.1-4.16.1
Comment 13 Swamp Workflow Management 2014-06-13 09:04:23 UTC
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 14 Swamp Workflow Management 2014-06-13 13:51:46 UTC
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 15 Swamp Workflow Management 2014-06-13 17:04:25 UTC
SUSE-SU-2014:0793-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 876449
CVE References: CVE-2014-2891
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    strongswan-4.4.0-6.25.1
SUSE Linux Enterprise Server 11 SP3 (src):    strongswan-4.4.0-6.25.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    strongswan-4.4.0-6.25.1
Comment 16 Johannes Segitz 2014-06-16 07:57:18 UTC
all relevant packages were fixed
Comment 18 Swamp Workflow Management 2015-07-10 17:08:48 UTC
SUSE-SU-2015:1228-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 876449,933591
CVE References: CVE-2014-2891,CVE-2015-4171
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    strongswan-4.4.0-6.19.1