SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (VPN)  >   strongSwan Vendors:   strongswan.org
strongSwan ISAKMP R_U_THERE/R_U_THERE_ACK Null Pointer Dereference Lets Remote Users Service
SecurityTracker Alert ID:  1021950
SecurityTracker URL:  http://securitytracker.com/id/1021950
CVE Reference:   CVE-2009-0790   (Links to External Site)
Date:  Mar 30 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.2.13 and prior
Description:   A vulnerability was reported in strongSwan. A remote user can cause denial of service conditions.

A remote user can send a specially crafted ISAKMP R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet to trigger a null pointer dereference cause the target IKE daemon to crash and restart a few seconds later.

The vulnerability resides in the Dead Peer Detection (RFC-3706) code.

Gerd v. Egidy reported this vulnerability.

Impact:   A remote user can cause the target IKE service to crash and reload.
Solution:   The vendor has issued a fix (2.8.9, 4.2.14).
Vendor URL:  www.strongswan.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  CVE-2009-0790: ISAKMP DPD Remote Vulnerability with Openswan &

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==========================================================================
Openswan & Strongswan Security Notification  March 30, 2009
Remote DoS Vulnerability in Openswan & Strongswan IPsec
CVE-2009-0790
==========================================================================
A vulnerability in the Dead Peer Detection (RFC-3706) code was found by
Gerd v. Egidy <gerd.von.egidy@intra2net.com> of Intra2net AG affecting
all Openswan and all Strongswan releases.

A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK Dead Peer
Detection packet can cause the pluto IKE daemon to crash and restart. No
authentication or encryption is required to trigger this bug. One spoofed
UDP packet can cause the pluto IKE daemon to restart and be unresponsive
for a few seconds while restarting.

A patch was created by Paul Wouters <paul@xelerance.com> for Openswan and
Strongswan.

This bug affects the following software releases:

Current branches:

Openswan-2.6.20 and earlier
Strongswan-4.2.13 and earlier

Maintenance mode branches:

Openswan-2.4.13 and earlier
Strongswan-2.8.8 and earlier

End of Life branches:

Superfreeswan-1.9x
Openswan-1.x
Openswan-2.0.x - 2.3.1
Openswan-2.5.x

Everyone is strongly encouraged to upgrade to these minimum versions:

openswan-2.6.21
strongswan-4.2.14

openswan-2.4.14
strongswan-2.8.9

If you cannot upgrade to a new version, please apply the appropriate
patch as listed at http://www.openswan.org/CVE-2009-0790/

Dead Peer Detection is an IPsec IKE Notification message. It uses
an ICOOKIE/RCOOKIE mechanism to match an incoming packet to a know
Security Association (ISAKMP). Unlike most Notification messages, DPD
notifications have no phase2 state association.  Incorrect handling of
this exception can cause a NULL pointer dereference on a non-existing
state object 'st'. This bug is triggered in the case where one end has
expired an ISAKMP state, but the other end still uses the old state
to send a DPD Notification.

Since this state-lookup is performed before any encryption or
decryption takes place, as we need to find the proper ISAKMP to locate
the cryptogrpahic key material used for decryption, this bug can be
triggered without going through a phase1 (ISAKMP) negotiation.

When such a packet is received, the pluto daemon crashes and restarts.

Locations for downloading patches and source code:
http://www.openswan.org/               http://www.strongswan.org/
ftp://ftp.openswan.org/openswan/       http://download1.strongswan.org/
ftp://ftp.openswan.fi/pub/openswan/    http://download2.strongswan.org/

Paul Wouters <paul@xelerance.com>
GPG key: 0xB5CC27E1
==========================================================================

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEVAwUBSdDsnecYBqa1zCfhAQIgkQf9GGalx45xj5xmdXlSB/BZgRXhQW4fNWHp
ZLLt5c40hOSvcmNfgYoIEz/QKpZPjfldvJ+c/08bAyAEQiHmmKkK+cFTlH1LtpDg
1f70lLrsziQ/eK1sQ9EYlFG4gbRfzjl1XZnnijAYvCAS1W12VSIU9gKN0YnHSCjH
ndiGTxtYPEYhzm7QzraYPB28BqBqvdQcMMwbfTThjYHMowzt6fMzFEteCTqJ5YAT
WgNbbbxBz1gNGssoiN4bv0YxaT+701OfKCdgJKKXs61We3twEQ2XKCi6l5Xw/lJe
mrbVHYgUGy/ef70sN03O/vN5o+2If1n0Pib6usdeEcVA0L9RQOIW5A==
=NxrM
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC