strongSwan gmp Plugin Signature Verification Flaw Lets Remote Users Authenticate As Arbitrary Users
|
|
SecurityTracker Alert ID: 1027110 |
|
SecurityTracker URL: http://securitytracker.com/id/1027110
|
|
CVE Reference:
CVE-2012-2388
(Links to External Site)
|
Date: May 31 2012
|
Impact:
Host/resource access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 4.2.0 - 4.6.3
|
Description:
A vulnerability was reported in strongSwan. A remote user can authenticate as an arbitrary user.
When the gmp plugin is used for RSA signature verification, a remote user can supply an empty or zeroed signature to authenticate as an arbitrary user.
IKEv1 and IKEv2 authentication is affected.
The Codenomicon CROSS project reported this vulnerability via CERT-FI.
|
Impact:
A remote user can authenticate as an arbitrary user.
|
Solution:
The vendor has issued a fix (4.6.4).
The vendor's advisory is available at:
http://www.strongswan.org/blog/2012/05/31/strongswan-4.6.4-released-%28cve-2012-2388%29.html
|
Vendor URL: www.strongswan.org/blog/2012/05/31/strongswan-4.6.4-released-%28cve-2012-2388%29.html (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 31 May 2012 20:30:29 +0000
Subject: strongSwan
|
CVE-2012-2388
http://www.strongswan.org/blog/2012/05/31/strongswan-4.6.4-released-%28cve-2012-2388%29.html
|
|
