Bug 958122 (CVE-2013-2944) - CVE-2013-2944 strongswan: ECDSA signature flaw
Summary: CVE-2013-2944 strongswan: ECDSA signature flaw
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-2944
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 958125
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-30 12:45 UTC by Jan Lieskovsky
Modified: 2019-09-29 13:03 UTC (History)
2 users (show)

Fixed In Version: strongSwan-5.0.4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-30 14:04:56 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Novell 815236 0 None None None Never

Description Jan Lieskovsky 2013-04-30 12:45:18 UTC
A security flaw was found in the way OpenSSL plug-in of strongSwan, an open-source IPsec-based VPN solution, performed ECDSA signature verificationin certain cases (empty, zeroed or otherwise invalid signature was treated as valid one previously). A remote attacker could provide a forged signature and / or certificate, leading to their ability to be successfully authenticated as legitimate user for particular service.

References:
[1] https://lists.strongswan.org/pipermail/announce/2013-April/000078.html
[2] http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50

Relevant upstream patch:
[3] http://download.strongswan.org/patches/10_openssl_ecdsa_signature_patch/

Comment 1 Jan Lieskovsky 2013-04-30 12:56:13 UTC
This issue affects the versions of the strongswan package, as shipped with Fedora release of 17 and 18. Please schedule an update.

--

This issue did NOT affect the version of the strongswan package, as shipped with Fedora EPEL-6 as it did not enable the strongSwan OpenSSL plug-in yet.

Comment 2 Jan Lieskovsky 2013-04-30 12:56:52 UTC
Created strongswan tracking bugs for this issue

Affects: fedora-all [bug 958125]

Comment 3 Jan Lieskovsky 2013-04-30 13:54:47 UTC
(In reply to comment #1)
> This issue affects the versions of the strongswan package, as shipped with
> Fedora release of 17 and 18. Please schedule an update.

While the upstream patch would be applicable to those versions, since openssl package in Fedora release of 17 and 18 is not build with ECDSA support, particular affected strongswan code branch is not reachable and therefore strongswan packages in Fedora release of 17 and 18 are NOT affected by this problem. Closing this bug as such.

> 
> --
> 
> This issue did NOT affect the version of the strongswan package, as shipped
> with Fedora EPEL-6 as it did not enable the strongSwan OpenSSL plug-in yet.


Note You need to log in before you can comment on or make changes to this bug.