Bug 634264 (CVE-2010-3302)
Summary: | CVE-2010-3302 openswan: buffer overflow vulnerability in XAUTH client-side support | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | unspecified | CC: | avagarwa, bressers, jlieskov, pwouters, rcvalle, security-response-team, sgrubb | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2010-11-16 20:02:21 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 635058, 635060, 637925 | ||||||||||
Bug Blocks: | |||||||||||
Attachments: |
|
Description
Vincent Danen
2010-09-15 17:00:00 UTC
Please use CVE-2010-3302 for these flaws. The code in question doesn't exist in the versions of openswan shipped in RHEL5 and below. From looking over the pluto source, this flaw happens during the processing of the R1 message from the server. This is indeed a client issue, not a server flaw. The initial XAUTH bits are out of the way, so we're probably talking about a compromised server. An attacker trying to MITM a client would need the shared secret key for this to work, which presents various other problems in itself. Without some other form of attack happeming first, this flaw is harmless by itself. The first flaw appears to be a heap overflow. The second flaw overflows the stack, but as stack variable use is quite generous in this fucntion, we should presume a clever attacker could leverage one of the other variables to accomplish the goal of arbitrary code execution. Yes, upstream agrees this is a client side issue. Their concern is a compromised VPN server could be used to get into the client machine where passwords and confidential documents may be stored. Meaning an attack vector to get into other machines once inside the network. Hello, I am adding an updated specifically for RHEL6. The reason is that upstream patch can not be applied directly to the rhel6 code, and needed some modifications, as the openswan code is RHEL6 is based on an older version (+ red hat patches) than the latest upstream openswan code. In addition, I have done a few corrections in the upstream patch, and informed to upstream about it. So you can notice following differences between upstream patch and rhel6 patch: 1. Cisco related variables are only needs to be put inside #ifdef XAUTH", but in kernel.c file, they have been put incorrectly under both XAUTH and MODECFG. So this is one correction. 2. Changes related to XAUTH_PAM are not needed for this CVE, that are there in the upstream patch. 3. Some changes due to the differences between the rhel6 code and upstream code. The patch is attached, and have been tested. Thanks and Regards Avesh Created attachment 448065 [details] patch for cve-2010-3302 patch for cve-2010-3302 Created attachment 448494 [details]
The final patch used for the CVE release
Oh oops. I just see Avesh attached the patch already. Created openswan tracking bugs for this issue Affects: fedora-all [bug 637925] Can't this bug be closed? We want to keep it open for now. There's one more product left to fix, that can not be addressed immediately. Thank you. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0892 https://rhn.redhat.com/errata/RHSA-2010-0892.html |