1081760 – (CVE-2014-2338) CVE-2014-2338 strongswan: authentication bypass flaw in IKEv2

Bug 1081760 (CVE-2014-2338) - CVE-2014-2338 strongswan: authentication bypass flaw in IKEv2

Summary: CVE-2014-2338 strongswan: authentication bypass flaw in IKEv2

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-2338
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1087859 1087860
Blocks:	1081761
TreeView+	depends on / blocked

Reported:	2014-03-27 22:09 UTC by Vincent Danen
Modified:	2023-05-12 03:04 UTC (History)
CC List:	3 users (show)
Fixed In Version:	strongswan 5.1.3
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-09-05 19:00:46 UTC
Embargoed:

Attachments	(Terms of Use)
upstream patch for 5.x (1.38 KB, patch) 2014-03-27 22:18 UTC, Vincent Danen	no flags	Details \| Diff
View All

Description Vincent Danen 2014-03-27 22:09:31 UTC

An authentication bypass vulnerability was found in the strongSwan IKEv2 code.  This flaw can be triggered by rekeying an unestablished IKE_SA while it is being actively initiated.  This would allow an attacker to trick a peer's IKE_SA state to established, without having to provide any valid authentication credentials.  While this flaw allows for the bypass of authentication, it does not allow for remote code execution.

Only installations that actively initiate or re-authenticate IKEv2 IKE_SAs are afected; IKEv1 in charon or pluto is not affected.


Acknowledgements:

Red Hat would like to thank the strongSwan project for reporting this issue.

Comment 1 Vincent Danen 2014-03-27 22:18:38 UTC

Created attachment 879664 [details]
upstream patch for 5.x

Comment 2 Paul Wouters 2014-03-28 02:49:55 UTC

libreswan and openswan are not vulnerable to this.

openswan does not implement CREATE_CHILD_SA yet. Libreswan implements a stub that only provides an unconditional reject message.

Comment 3 Martin Prpič 2014-04-15 13:13:58 UTC

Created strongswan tracking bugs for this issue:

Affects: fedora-all [bug 1087859]
Affects: epel-6 [bug 1087860]

Comment 4 Martin Prpič 2014-04-15 13:28:54 UTC

Upstream advisory:

http://www.strongswan.org/blog/2014/04/14/strongswan-authentication-bypass-vulnerability-%28cve-2014-2338%29.html

Patches also available at:

http://download.strongswan.org/security/CVE-2014-2338/

Comment 5 Fedora Update System 2014-04-24 07:35:22 UTC

strongswan-5.1.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-04-30 20:46:22 UTC

strongswan-5.1.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.