SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   strongSwan Vendors:   strongswan.org
strongSwan X.509 RDN and Time String Processing Bugs Let Remote Users Deny Service
SecurityTracker Alert ID:  1022428
SecurityTracker URL:  http://securitytracker.com/id/1022428
CVE Reference:   CVE-2009-2185   (Links to External Site)
Updated:  Jun 26 2009
Original Entry Date:  Jun 22 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.2.0 - 2.8.9, 4.3.0 - 4.3.1, 4.0.0 - 4.2.15
Description:   Two vulnerabilities were reported in strongSwan. A remote user can cause denial of service conditions.

A remote user can send specially crafted X.509 certificate Relative Distinguished Name (RDN) data to cause the target pluto IKE daemon to crash and restart.

A remote user can send specially crafted X.509 certificate ASN.1 UTCTIME and GENERALIZEDTIME time strings to cause the target pluto IKE daemon to crash and restart.

Orange Labs vulnerability research team reported these vulnerabilities.

Impact:   A remote user can cause the target pluto IKE daemon to crash and restart.
Solution:   The vendor has issued patches, available at:

http://download.strongswan.org/patches/05_asn1_rdn_patch/
http://download.strongswan.org/patches/06_asn1_time_patch/

Vendor URL:  www.strongswan.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 26 2009 (Openswan Issues Fix) strongSwan X.509 RDN and Time String Processing Bugs Let Remote Users Deny Service
Openswan has issued a fix.
Jul 2 2009 (Red Hat Issues Fix) strongSwan X.509 RDN and Time String Processing Bugs Let Remote Users Deny Service
Red Hat has released a fix for Red Hat Enterprise Linux 5.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC