Fixed upstream in 2.6.22: v2.6.22 * Malicious X.509 certificates could crash the asn.1 parser. Found by Orange Labs vulnerability research team. Patches via an irresponsible 0-day public announcement by Andreas Steffen ( http://openswan.org/download/CHANGES ) Upstream patches can be found here: http://git.openswan.org/cgi-bin/gitweb.cgi?p=openswan.public/.git;a=history;f=lib/libopenswan/asn1.c
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2185 to the following vulnerability: Name: CVE-2009-2185 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2185 Assigned: 20090624 Reference: CONFIRM: http://download.strongswan.org/CHANGES2.txt Reference: CONFIRM: http://download.strongswan.org/CHANGES4.txt Reference: CONFIRM: http://download.strongswan.org/CHANGES42.txt Reference: BID:35452 Reference: URL: http://www.securityfocus.com/bid/35452 Reference: SECTRACK:1022428 Reference: URL: http://www.securitytracker.com/id?1022428 Reference: SECUNIA:35522 Reference: URL: http://secunia.com/advisories/35522 Reference: VUPEN:ADV-2009-1639 Reference: URL: http://www.vupen.com/english/advisories/2009/1639 The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c, libstrongswan/asn1/asn1_parser.c) in (a) strongSwan 2.8 before 2.8.10, 4.2 before 4.2.16, and 4.3 before 4.3.2; and (b) openSwan 2.6 before 2.6.22 and 2.4 before 2.4.15 allows remote attackers to cause a denial of service (pluto IKE daemon crash) via an X.509 certificate with (1) crafted Relative Distinguished Names (RDNs), (2) a crafted UTCTIME string, or (3) a crafted GENERALIZEDTIME string.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1138 https://rhn.redhat.com/errata/RHSA-2009-1138.html
openswan-2.6.21-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
openswan-2.6.21-5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Strongswan is claiming the initial fix for this was incomplete: https://lists.strongswan.org/pipermail/announce/2009-July/000056.html Avesh, can you please advise what you find out? Paul indicates the fixes were committed to openswan git a few days after CVE-2009-2185 was fixed: commit 483f6bfd4a1b9e900cb352bb4214ec1ce20016b7 Author: David McCullough <david_mccullough> Date: Thu Jun 25 15:57:18 2009 +1000 Check the length at all exits from asn1_length. If we are going to check the blob length everywhere to be safe, then we should also check the simple case IMO. commit 56400548fa2575d1cc010635f5b6cca660ce0e9e Author: David McCullough <david_mccullough> Date: Wed Jun 24 11:34:30 2009 +1000 Some missed fixups from the Orange Labs patches. The scanf fix is not a problem, as we redo it and check the result. The extra blob length patch is required though
The subsequent fixes noted above do not affect Red Hat Enterprise Linux 5, Fedora 10, and Fedora 11 as the patch to correct the initial issue was pulled from git after these changes were made, and so already has the above-noted fix included.