Bug 991215 - (CVE-2013-5018) CVE-2013-5018 strongswan: denial of service flaw in 5.0.3/5.0.4
CVE-2013-5018 strongswan: denial of service flaw in 5.0.3/5.0.4
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130801,repor...
: Security
Depends On: 991216
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-01 17:12 EDT by Vincent Danen
Modified: 2014-02-24 10:25 EST (History)
5 users (show)

See Also:
Fixed In Version: strongswan 5.1.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-23 11:04:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-08-01 17:12:32 EDT
It was reported that StrongSwan 5.1.0 corrected a flaw present in versions 5.0.3 and 5.0.4:

A segmentation fault is caused if an XAuth username or EAP identity is received that starts with either 0 or 1 (ASCII, 0x30 and 0x31 hex,
technically 0x04 also triggers it, but this is harder to craft) and whose remaining bytes can be interpreted as single- or multi-byte ASN.1
length (for instance, a single character < 0x80). An example for such a username is 15 (0x3135) as can be seen in the bug report.

The plugins listed above call identification_create_from_data() to parse the username/identity, which first calls is_asn1() to determine if the given data is ASN.1 encoded. This function in turn calls asn1_length() but handles the return value incorrectly, if the parsed ASN.1 length is invalid (e.g. if the parsed length is longer than the actual data). If the remaining data length is exactly zero, a check for terminating newlines causes an integer overflow and subsequently a segmentation fault.

It was also noted that the PEM plugin can call the vulnerable is_asn1() function, and this issue can triggered locally via a specially crafted PEM encoded file.  However, the PEM plugin is only used to load local certificates, private keys or CRL files, which require appropriate (root) privileges to change so no trust boundary is crossed.

Patches for StrongSwan are available here: http://download.strongswan.org/patches/12_is_asn1_patch/

In regards to the PEM issue for earlier releases as well as for Openswan and Libreswan, the advisory notes:

While is_asn1() never handled the return value of asn1_length() correctly, this did not cause any problems before the additional check for newlines was added with 4.1.11. Therefore, earlier releases as well as users of the original X.509 patch for FreeS/WAN (Openswan, Libreswan) are not vulnerable.

Checking the code in Openswan and Libreswan, the additional newline check is indeed not present.


External References:

http://strongswan.org/blog/2013/08/01/strongswan-denial-of-service-vulnerability-(cve-2013-5018).html
Comment 1 Vincent Danen 2013-08-01 17:13:44 EDT
Created strongswan tracking bugs for this issue:

Affects: fedora-all [bug 991216]
Comment 2 Vincent Danen 2013-08-01 17:16:17 EDT
Statement:

Not vulnerable. This issue did not affect the versions of openswan as shipped with Red Hat Enterprise Linux 5 or 6 as they did not include the problematic newline checks when validating ASN.1 length.
Comment 3 Jamie Nguyen 2014-02-23 11:04:58 EST
Strongswan has been updated and libreswan/openswan do not appear to be affected. I am therefore closing this bug.
Comment 4 Vincent Danen 2014-02-24 10:25:30 EST
That's right, both EPEL6 and current Fedora have 5.1.1, which has this flaw fixed.

Note You need to log in before you can comment on or make changes to this bug.