1581867 – (CVE-2018-5388) CVE-2018-5388 strongswan: integer underflow leads to buffer overflow and denial of service in stroke_socket.c

Bug 1581867 (CVE-2018-5388) - CVE-2018-5388 strongswan: integer underflow leads to buffer overflow and denial of service in stroke_socket.c

Summary: CVE-2018-5388 strongswan: integer underflow leads to buffer overflow and deni...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-5388
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1581868 1581869 1583761
Blocks:	1581872
TreeView+	depends on / blocked

Reported:	2018-05-23 20:00 UTC by Laura Pardo
Modified:	2021-10-21 20:04 UTC (History)
CC List:	2 users (show)
Fixed In Version:	strongswan 5.6.3
Doc Type:	If docs needed, set a value
Doc Text:	An integer underflow has been discovered in strongSwan VPN's charon server, which could lead to a buffer overflow and consequent crash. A local attacker, with enough privileges to access the Unix Domain Socket /var/run/charon.ctl, could use this vulnerability to crash the charon server.
Clone Of:
Environment:
Last Closed:	2021-10-21 20:04:27 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-05-23 20:00:57 UTC

A flaw was found in strongSwan VPN's charon server prior to version 5.6.3. In stroke_socket.c, a missing packet length check could allow a integer underflow, which may lead to resource exhaustion and denial of service while reading from the socket. A remote attacker with local user credentials (possibly a normal user in the vpn group, or root) may be able to overflow the buffer and cause a denial of service.


References:
https://www.kb.cert.org/vuls/id/338343

Patch:
https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=0acd1ab4

Comment 1 Laura Pardo 2018-05-23 20:01:25 UTC

Created strongswan tracking bugs for this issue:

Affects: epel-all [bug 1581869]
Affects: fedora-all [bug 1581868]

Comment 3 Riccardo Schirone 2018-05-29 15:55:39 UTC

The vulnerable code is reachable only through the Unix Domain Socket that handles `stroke` messages. Moreover, it seems the flaw cannot be used in any other way apart from generating a Denial of Service.

Comment 5 Riccardo Schirone 2018-05-29 16:15:35 UTC

Mitigation:

On Red Hat Enterprise Linux 7 only root has access to /var/run/charon.ctl so you need to be already root to exploit the vulnerability.

Note You need to log in before you can comment on or make changes to this bug.