Bug 1581867 – CVE-2018-5388 strongswan: integer underflow leads to buffer overflow and denial of service in stroke_socket.c

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1581867 - (CVE-2018-5388) CVE-2018-5388 strongswan: integer underflow leads to buffer overflow and denial of service in stroke_socket.c

Summary:	CVE-2018-5388 strongswan: integer underflow leads to buffer overflow and deni...

Status:	NEW

Aliases:	CVE-2018-5388

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180522,repor...
Keywords:	Security

Depends On:	1581869 1583761 1581868
Blocks:	1581872
	Show dependency tree / graph

Reported:	2018-05-23 16:00 EDT by Laura Pardo
Modified:	2018-06-01 09:50 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	strongswan 5.6.3
Doc Type:	If docs needed, set a value
Doc Text:	An integer underflow has been discovered in strongSwan VPN's charon server, which could lead to a buffer overflow and consequent crash. A local attacker, with enough privileges to access the Unix Domain Socket /var/run/charon.ctl, could use this vulnerability to crash the charon server.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Laura Pardo 2018-05-23 16:00:57 EDT

A flaw was found in strongSwan VPN's charon server prior to version 5.6.3. In stroke_socket.c, a missing packet length check could allow a integer underflow, which may lead to resource exhaustion and denial of service while reading from the socket. A remote attacker with local user credentials (possibly a normal user in the vpn group, or root) may be able to overflow the buffer and cause a denial of service.


References:
https://www.kb.cert.org/vuls/id/338343

Patch:
https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=0acd1ab4

Comment 1 Laura Pardo 2018-05-23 16:01:25 EDT

Created strongswan tracking bugs for this issue:

Affects: epel-all [bug 1581869]
Affects: fedora-all [bug 1581868]

Comment 3 Riccardo Schirone 2018-05-29 11:55:39 EDT

The vulnerable code is reachable only through the Unix Domain Socket that handles `stroke` messages. Moreover, it seems the flaw cannot be used in any other way apart from generating a Denial of Service.

Comment 5 Riccardo Schirone 2018-05-29 12:15:35 EDT

Mitigation:

On Red Hat Enterprise Linux 7 only root has access to /var/run/charon.ctl so you need to be already root to exploit the vulnerability.

Note You need to log in before you can comment on or make changes to this bug.