Openswan IKE Processing Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1015214
|
|
SecurityTracker URL: http://securitytracker.com/id?1015214
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 15 2005
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.x, prior to 2.4.2
|
Description: A vulnerability was reported in Openswan in the processing of IKE packets. A remote user can cause denial of service conditions.
Two separate vulnerabilities exist. One vulnerability allows a remote user to send a specially crafted packet using 3DES with an
invalid key length to cause the service to crash. The other vulnerability was not disclosed.
The University of Oulu Secure Programming
Group (OUSPG) discovered these vulnerabilities.
|
Impact: A remote user can cause the target service to crash.
|
Solution: The vendor has issued a fixed version (2.4.2) to correct one of the vulnerabilities, available at:
http://www.openswan.com/download/
|
Vendor URL: www.openswan.org/ (Links to External Site)
|
Cause: Exception handling error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 15 Nov 2005 09:28:39 -0500
Subject: Openswan-2 is vulnerable to a Denial of Service attack as reported by NISCC Vulnerability Advisory 273756/NISCC/ISAKMP
|
http://www.openswan.com/niscc2/
|
|
