1050277 – (CVE-2013-6466) CVE-2013-6466 openswan: dereferencing missing IKEv2 payloads causes pluto daemon to restart

Bug 1050277 (CVE-2013-6466) - CVE-2013-6466 openswan: dereferencing missing IKEv2 payloads causes pluto daemon to restart

Summary: CVE-2013-6466 openswan: dereferencing missing IKEv2 payloads causes pluto dae...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-6466
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1050322 1050325 1050337 1050340 1058402
Blocks:	1050315
TreeView+	depends on / blocked

Reported:	2014-01-08 21:44 UTC by Kurt Seifried
Modified:	2021-02-17 07:01 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-10 20:13:47 UTC
Embargoed:

Attachments	(Terms of Use)
plutodebug=all log (4.14 KB, application/gzip) 2014-02-26 09:56 UTC, Ruslan Bors	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:0185	0	normal	SHIPPED_LIVE	Moderate: openswan security update	2014-02-18 22:55:46 UTC

Description Kurt Seifried 2014-01-08 21:44:19 UTC

Paul Wouters of Red Hat reports:

The Openswan Project was notified by Iustina Melinte of a vulnerability
regarding dereferencing of non-received IKEv2 payloads. This allows
a malicious non-authenticated remote user to cause a denial of service 
in the Openswan IKE daemon that can also cause existing VPN connections 
to drop.

Vulnerability information
--------------------------

Iustina Melinte used a custom IKE fuzzer to test Openswan. By withholding
or renumbering certain IKEv2 payloads, the pluto IKE daemon crashes while
trying to dereference a NULL pointer on the presumably received payload.

Note: by default, the use of IKEv2 payloads is set to 'permit', "signifying
no IKEv2 should be transmitted, but will be accepted if the other ends
initiates to us with IKEv2" (man ipsec.conf). Configurations that only
allow IKEv1 payloads (where "ikev2=" is set to 'never' or 'no' in the
ipsec.conf file) are not vulnerable.

Credits
--------

This vulnerability was found by Iustina Melinte.

Comment 4 Vincent Danen 2014-01-27 16:56:52 UTC

External References:

https://libreswan.org/security/CVE-2013-6467/CVE-2013-6467.txt

Comment 5 Vincent Danen 2014-01-27 17:43:06 UTC

Created openswan tracking bugs for this issue:

Affects: fedora-all [bug 1058402]

Comment 6 Paul Wouters 2014-01-27 17:46:24 UTC

we don't ship openswan in fedora anymore. The packages have been obsoleted by the libreswan packages. We cannot do any more fedora openswan packages.

Comment 9 Paul Wouters 2014-02-18 15:06:42 UTC

Note that openswan-2.6.40 did not properly fix this issue, as they did not use the backported libreswan patch we provided them. So while openswan 2.6.40 will get a new CVE number for this issue, our packages for errata RHSA-2014:0185 are not vulnerable.

Comment 10 errata-xmlrpc 2014-02-18 17:57:37 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:0185 https://rhn.redhat.com/errata/RHSA-2014-0185.html

Comment 11 Vincent Danen 2014-02-18 21:51:15 UTC

A CVE for upstream openswan will be assigned soon, as this CVE was not fully fixed in the upstream release.  The Red Hat packages, however, used the correct patch and thus fully fixed the issue.

Comment 12 Paul Wouters 2014-02-20 16:14:57 UTC

CVE-2014-2037 is assigned to openswan-2.6.41. And to confirm, our release from RHSA-2014:0185 is not vulnerable

Comment 13 Paul Wouters 2014-02-20 16:18:30 UTC

CVE-2014-2037 is assigned to openswan-2.6.40

Comment 16 Ruslan Bors 2014-02-26 09:56:13 UTC

Created attachment 867908 [details]
plutodebug=all log

Note You need to log in before you can comment on or make changes to this bug.