Bug 507362 (CVE-2009-2185) - CVE-2009-2185 Openswan ASN.1 parser vulnerability
Summary: CVE-2009-2185 Openswan ASN.1 parser vulnerability
Alias: CVE-2009-2185
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.vupen.com/english/advisori...
Depends On: 507872 507873
TreeView+ depends on / blocked
Reported: 2009-06-22 14:07 UTC by Avesh Agarwal
Modified: 2019-09-29 12:30 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-03-29 09:15:47 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1138 0 normal SHIPPED_LIVE Important: openswan security update 2009-07-02 15:02:52 UTC

Comment 8 Tomas Hoger 2009-06-23 21:52:20 UTC
Fixed upstream in 2.6.22:

* Malicious X.509 certificates could crash the asn.1 parser.
  Found by Orange Labs vulnerability research team. Patches via
  an irresponsible 0-day public announcement by Andreas Steffen 

( http://openswan.org/download/CHANGES )

Upstream patches can be found here:

Comment 12 Vincent Danen 2009-06-25 06:25:14 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2185 to
the following vulnerability:

Name: CVE-2009-2185
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2185
Assigned: 20090624
Reference: CONFIRM: http://download.strongswan.org/CHANGES2.txt
Reference: CONFIRM: http://download.strongswan.org/CHANGES4.txt
Reference: CONFIRM: http://download.strongswan.org/CHANGES42.txt
Reference: BID:35452
Reference: URL: http://www.securityfocus.com/bid/35452
Reference: SECTRACK:1022428
Reference: URL: http://www.securitytracker.com/id?1022428
Reference: SECUNIA:35522
Reference: URL: http://secunia.com/advisories/35522
Reference: VUPEN:ADV-2009-1639
Reference: URL: http://www.vupen.com/english/advisories/2009/1639

The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c,
libstrongswan/asn1/asn1_parser.c) in (a) strongSwan 2.8 before 2.8.10,
4.2 before 4.2.16, and 4.3 before 4.3.2; and (b) openSwan 2.6 before
2.6.22 and 2.4 before 2.4.15 allows remote attackers to cause a denial
of service (pluto IKE daemon crash) via an X.509 certificate with (1)
crafted Relative Distinguished Names (RDNs), (2) a crafted UTCTIME
string, or (3) a crafted GENERALIZEDTIME string.

Comment 15 errata-xmlrpc 2009-07-02 15:02:54 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1138 https://rhn.redhat.com/errata/RHSA-2009-1138.html

Comment 16 Fedora Update System 2009-07-11 16:55:59 UTC
openswan-2.6.21-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2009-07-11 17:18:57 UTC
openswan-2.6.21-5.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Vincent Danen 2009-07-27 17:34:01 UTC
Strongswan is claiming the initial fix for this was incomplete:


Avesh, can you please advise what you find out?  Paul indicates the fixes were committed to openswan git a few days after CVE-2009-2185 was fixed:

commit 483f6bfd4a1b9e900cb352bb4214ec1ce20016b7
Author: David McCullough <david_mccullough@securecomputing.com>
Date:   Thu Jun 25 15:57:18 2009 +1000

    Check the length at all exits from asn1_length.

    If we are going to check the blob length everywhere to be safe,
    then we should also check the simple case IMO.

commit 56400548fa2575d1cc010635f5b6cca660ce0e9e
Author: David McCullough <david_mccullough@securecomputing.com>
Date:   Wed Jun 24 11:34:30 2009 +1000

    Some missed fixups from the Orange Labs patches.

    The scanf fix is not a problem,  as we redo it and check the result.
    The extra blob length patch is required though

Comment 20 Vincent Danen 2009-07-27 23:42:44 UTC
The subsequent fixes noted above do not affect Red Hat Enterprise Linux 5, Fedora 10, and Fedora 11 as the patch to correct the initial issue was pulled from git after these changes were made, and so already has the above-noted fix included.

Note You need to log in before you can comment on or make changes to this bug.