Bug 1222815 (CVE-2015-3991)

Summary: CVE-2015-3991 strongswan: incorrect payload processing for different IKE versions
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jrusnack, psimerda, pwouters, security-response-team, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: strongswan 5.3.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-05 20:22:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1228819, 1228820, 1228821    
Bug Blocks:    
Attachments:
Description Flags
strongswan-5.2.2-5.3.0_unknown_payload.patch none

Description Martin Prpič 2015-05-19 08:49:54 UTC
A flaw was found in the strongSwan payload handling code. This flaw can be triggered by an IKEv1 or IKEv2 message that contains payloads that are only defined for the respective other IKE version. For instance, sending an IKEv1 Main Mode message containing a payload with type 41 (IKEv2 Notify) will crash the daemon or, potentially allow for remote code execution, when a short summary of the contents of the message is logged ("parsed ID_PROT request 0 [ ... ]").

Comment 1 Martin Prpič 2015-05-19 08:52:12 UTC
Created attachment 1027039 [details]
strongswan-5.2.2-5.3.0_unknown_payload.patch

Comment 3 Kurt Seifried 2015-06-05 20:21:50 UTC
Created strongswan tracking bugs for this issue:

Affects: fedora-all [bug 1228819]
Affects: epel-6 [bug 1228820]
Affects: epel-7 [bug 1228821]

Comment 4 Kurt Seifried 2015-06-05 20:22:27 UTC
Closing as this doesn't affect RHEL.