Bug 491895 - (CVE-2009-0790) CVE-2009-0790 openswan: ISAKMP DPD remote DoS
CVE-2009-0790 openswan: ISAKMP DPD remote DoS
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20090323,pu...
: Security
Depends On: 491907 491908
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-24 11:09 EDT by Tomas Hoger
Modified: 2010-02-08 07:59 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-04 17:38:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch (685 bytes, patch)
2009-03-24 11:16 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2009-03-24 11:09:44 EDT
Openswan upstream is going to release security advisory for Openswan and Strongswan describing following flaw:

A vulnerability in the Dead Peer Detection (RFC-3706) code was found by
Gerd v. Egidy of Intra2net AG affecting all Openswan and all Strongswan
releases.

A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK Dead Peer
Detection packet can cause the pluto IKE daemon to crash and restart. No
authentication or encryption is required to trigger this bug. One spoofed
UDP packet can cause the pluto IKE daemon to restart and be unresponsive
for a few seconds while restarting.

Affected versions:
Openswan-2.6.20 and earlier
Strongswan-4.2.13 and earlier
Comment 1 Tomas Hoger 2009-03-24 11:16:06 EDT
Created attachment 336484 [details]
Upstream patch
Comment 9 Tomas Hoger 2009-03-25 06:45:44 EDT
The version of openswan as shipped in Red Hat Enterprise Linux 5 differs from current upstream versions in the default value of plutorestartoncrash which controls automatic restart of pluto daemon after the crash.  It seems that this was intended to default to yes, but mistakenly defaulted to no in certain versions.  Upstream changelog mentions fix for this introduced in 2.6.15:

v2.6.15
 [ ... ]
* Change (back) defaults of plutorestartoncrash and uniqueids from
  no to yes. The new parser mistakenly did not set these [paul]

Defaults can be checked using the following command:
  ipsec addconn --configsetup

To enable automatic pluto restart on crashes, plutorestartoncrash=yes needs to be added to "config setup" section of ipsec.conf.
Comment 10 Tomas Hoger 2009-03-30 12:31:41 EDT
Public now via:
  http://lists.openswan.org/pipermail/announce/2009-March/000031.html
Comment 11 errata-xmlrpc 2009-03-30 12:52:36 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0402 https://rhn.redhat.com/errata/RHSA-2009-0402.html
Comment 12 Vincent Danen 2009-12-04 17:38:01 EST
Current Fedora is shipping with 2.6.21 or later, so this does not affect Fedora.

Note You need to log in before you can comment on or make changes to this bug.