Bug 960229 (CVE-2013-2053) - CVE-2013-2053 Openswan: remote buffer overflow in atodn()
Summary: CVE-2013-2053 Openswan: remote buffer overflow in atodn()
Status: CLOSED ERRATA
Alias: CVE-2013-2053
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20130513,repo...
Keywords: Security
Depends On: 960232 960233 960234 960235 1014370
Blocks: 960231
TreeView+ depends on / blocked
 
Reported: 2013-05-06 18:38 UTC by Kurt Seifried
Modified: 2019-06-08 19:34 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-05-15 18:15:14 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0827 normal SHIPPED_LIVE Important: openswan security update 2013-05-15 21:44:30 UTC

Description Kurt Seifried 2013-05-06 18:38:41 UTC
Paul Wouters reports:

An audit of code from The Libreswan Project revealed a remote buffer overflow
in the atodn() function used by both libreswan, openswan, and older versions
of strongswan and superfreeswan when called from atoid() 

Vulnerable versions: Openswan versions 1.x to 2.6.38

Vulnerability information:
When enabling Opportunistic Encryption ("OE") using oe=yes (default is
'no') the IKE daemon pluto requests DNS TXT records to obtain public RSA keys
of itself and its peers. These records can contain an IPsec gateway
specification containing an fully qualified hostname which is passed to
a function atoid().

When X.509 support was added to FreeS/WAN, ASN.1 parsing was added to
the function atoid() which converts an ASCII ID representation into an
internal struct id representation using a static buffer via the function
temporary_cyclic_buffer()

While DNS TXT records cannot contain ASN.1 representations, the code
mistakenly checked for such interpretation if the DNS TXT FQDN contained
an '=' symbol. Since DNS TXT buffers can be larger than what the ASN.1
parsing code expected, parsing such a record can trigger a buffer overflow
leading to remote execution of code, specifically when overflowing into the
struct kernel_ops which is a table of function pointers.

Exploitation:
This exploit can only be triggered when the ipsec.conf configuration file
enables Opportunistic Encryption via the option 'oe=yes'. If this option is
not present, it defaults to 'no'.

Configurations that enable "OE" without preconfiguring their own public RSA
key in DNS will be under severe connectivity problems leaving the machine
with 30 second delay for each outgoing connection - a deployment scenario that
is extremely unlikely to appear in the wild.

In the unlikely event that machines are configured as such, this
vulnerability can only be exploited by a remote attacker controlling the
reverse DNS entry for the IP address of the targetted host. If the machine is
properly configured for OE, an attacker only needs to trigger a connection to
an IP address for which they control the reverse DNS zone where they can place
the malicious DNS record.

Credits:
This vulnerability was found by Florian Weimer of the Red Hat Product
Security Team (https://access.redhat.com/security/team/)

Comment 3 Kurt Seifried 2013-05-07 19:40:12 UTC
This issue requires root level access to modify the configuration of the system in order for it to be vulnerable, this changes the CVSS2 score from 10.0 to 7.6, which also brings the bug impact down to important from critical.

Comment 4 Murray McAllister 2013-05-13 03:13:43 UTC
Acknowledgements:

This issue was discovered by Florian Weimer of the Red Hat Product Security Team.

Comment 8 Vincent Danen 2013-05-14 14:31:02 UTC
Patches for openswan (from upstream libreswan) are available at http://libreswan.org/security/CVE-2013-2053/


External References:

https://lists.libreswan.org/pipermail/swan-announce/2013/000003.html

Comment 9 Paul Wouters 2013-05-14 15:02:44 UTC
Those are the same as the ones I put in the RHEL packages

Comment 10 errata-xmlrpc 2013-05-15 17:45:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2013:0827 https://rhn.redhat.com/errata/RHSA-2013-0827.html


Note You need to log in before you can comment on or make changes to this bug.