Bug 507362 - (CVE-2009-2185) CVE-2009-2185 Openswan ASN.1 parser vulnerability
CVE-2009-2185 Openswan ASN.1 parser vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://www.vupen.com/english/advisori...
public=20090622,reported=20090622,sou...
: Security
Depends On: 507872 507873
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-22 10:07 EDT by Avesh Agarwal
Modified: 2010-03-29 05:15 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-29 05:15:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 8 Tomas Hoger 2009-06-23 17:52:20 EDT
Fixed upstream in 2.6.22:

v2.6.22
* Malicious X.509 certificates could crash the asn.1 parser.
  Found by Orange Labs vulnerability research team. Patches via
  an irresponsible 0-day public announcement by Andreas Steffen 

( http://openswan.org/download/CHANGES )

Upstream patches can be found here:
http://git.openswan.org/cgi-bin/gitweb.cgi?p=openswan.public/.git;a=history;f=lib/libopenswan/asn1.c
Comment 12 Vincent Danen 2009-06-25 02:25:14 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2185 to
the following vulnerability:

Name: CVE-2009-2185
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2185
Assigned: 20090624
Reference: CONFIRM: http://download.strongswan.org/CHANGES2.txt
Reference: CONFIRM: http://download.strongswan.org/CHANGES4.txt
Reference: CONFIRM: http://download.strongswan.org/CHANGES42.txt
Reference: BID:35452
Reference: URL: http://www.securityfocus.com/bid/35452
Reference: SECTRACK:1022428
Reference: URL: http://www.securitytracker.com/id?1022428
Reference: SECUNIA:35522
Reference: URL: http://secunia.com/advisories/35522
Reference: VUPEN:ADV-2009-1639
Reference: URL: http://www.vupen.com/english/advisories/2009/1639

The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c,
libstrongswan/asn1/asn1_parser.c) in (a) strongSwan 2.8 before 2.8.10,
4.2 before 4.2.16, and 4.3 before 4.3.2; and (b) openSwan 2.6 before
2.6.22 and 2.4 before 2.4.15 allows remote attackers to cause a denial
of service (pluto IKE daemon crash) via an X.509 certificate with (1)
crafted Relative Distinguished Names (RDNs), (2) a crafted UTCTIME
string, or (3) a crafted GENERALIZEDTIME string.
Comment 15 errata-xmlrpc 2009-07-02 11:02:54 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1138 https://rhn.redhat.com/errata/RHSA-2009-1138.html
Comment 16 Fedora Update System 2009-07-11 12:55:59 EDT
openswan-2.6.21-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2009-07-11 13:18:57 EDT
openswan-2.6.21-5.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Vincent Danen 2009-07-27 13:34:01 EDT
Strongswan is claiming the initial fix for this was incomplete:

https://lists.strongswan.org/pipermail/announce/2009-July/000056.html

Avesh, can you please advise what you find out?  Paul indicates the fixes were committed to openswan git a few days after CVE-2009-2185 was fixed:

commit 483f6bfd4a1b9e900cb352bb4214ec1ce20016b7
Author: David McCullough <david_mccullough@securecomputing.com>
Date:   Thu Jun 25 15:57:18 2009 +1000

    Check the length at all exits from asn1_length.

    If we are going to check the blob length everywhere to be safe,
    then we should also check the simple case IMO.

commit 56400548fa2575d1cc010635f5b6cca660ce0e9e
Author: David McCullough <david_mccullough@securecomputing.com>
Date:   Wed Jun 24 11:34:30 2009 +1000

    Some missed fixups from the Orange Labs patches.

    The scanf fix is not a problem,  as we redo it and check the result.
    The extra blob length patch is required though
Comment 20 Vincent Danen 2009-07-27 19:42:44 EDT
The subsequent fixes noted above do not affect Red Hat Enterprise Linux 5, Fedora 10, and Fedora 11 as the patch to correct the initial issue was pulled from git after these changes were made, and so already has the above-noted fix included.

Note You need to log in before you can comment on or make changes to this bug.