Bug 1081760 (CVE-2014-2338)

Summary: CVE-2014-2338 strongswan: authentication bypass flaw in IKEv2
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: psimerda, pwouters, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: strongswan 5.1.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-05 19:00:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1087859, 1087860    
Bug Blocks: 1081761    
Attachments:
Description Flags
upstream patch for 5.x none

Description Vincent Danen 2014-03-27 22:09:31 UTC 
An authentication bypass vulnerability was found in the strongSwan IKEv2 code.  This flaw can be triggered by rekeying an unestablished IKE_SA while it is being actively initiated.  This would allow an attacker to trick a peer's IKE_SA state to established, without having to provide any valid authentication credentials.  While this flaw allows for the bypass of authentication, it does not allow for remote code execution.

Only installations that actively initiate or re-authenticate IKEv2 IKE_SAs are afected; IKEv1 in charon or pluto is not affected.


Acknowledgements:

Red Hat would like to thank the strongSwan project for reporting this issue.
Comment 1 Vincent Danen 2014-03-27 22:18:38 UTC 
Created attachment 879664 [details]
upstream patch for 5.x
Comment 2 Paul Wouters 2014-03-28 02:49:55 UTC 
libreswan and openswan are not vulnerable to this.

openswan does not implement CREATE_CHILD_SA yet. Libreswan implements a stub that only provides an unconditional reject message.
Comment 3 Martin Prpič 2014-04-15 13:13:58 UTC 
Created strongswan tracking bugs for this issue:

Affects: fedora-all [bug 1087859]
Affects: epel-6 [bug 1087860]
Comment 4 Martin Prpič 2014-04-15 13:28:54 UTC 
Upstream advisory:

http://www.strongswan.org/blog/2014/04/14/strongswan-authentication-bypass-vulnerability-%28cve-2014-2338%29.html

Patches also available at:

http://download.strongswan.org/security/CVE-2014-2338/
Comment 5 Fedora Update System 2014-04-24 07:35:22 UTC 
strongswan-5.1.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-04-30 20:46:22 UTC 
strongswan-5.1.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.