Bug 1581867 (CVE-2018-5388) - CVE-2018-5388 strongswan: integer underflow leads to buffer overflow and denial of service in stroke_socket.c
Summary: CVE-2018-5388 strongswan: integer underflow leads to buffer overflow and deni...
Keywords:
Status: NEW
Alias: CVE-2018-5388
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1581869 1581868 1583761
Blocks: 1581872
TreeView+ depends on / blocked
 
Reported: 2018-05-23 20:00 UTC by Laura Pardo
Modified: 2019-09-29 14:40 UTC (History)
2 users (show)

Fixed In Version: strongswan 5.6.3
Doc Type: If docs needed, set a value
Doc Text:
An integer underflow has been discovered in strongSwan VPN's charon server, which could lead to a buffer overflow and consequent crash. A local attacker, with enough privileges to access the Unix Domain Socket /var/run/charon.ctl, could use this vulnerability to crash the charon server.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Laura Pardo 2018-05-23 20:00:57 UTC
A flaw was found in strongSwan VPN's charon server prior to version 5.6.3. In stroke_socket.c, a missing packet length check could allow a integer underflow, which may lead to resource exhaustion and denial of service while reading from the socket. A remote attacker with local user credentials (possibly a normal user in the vpn group, or root) may be able to overflow the buffer and cause a denial of service.


References:
https://www.kb.cert.org/vuls/id/338343

Patch:
https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=0acd1ab4

Comment 1 Laura Pardo 2018-05-23 20:01:25 UTC
Created strongswan tracking bugs for this issue:

Affects: epel-all [bug 1581869]
Affects: fedora-all [bug 1581868]

Comment 3 Riccardo Schirone 2018-05-29 15:55:39 UTC
The vulnerable code is reachable only through the Unix Domain Socket that handles `stroke` messages. Moreover, it seems the flaw cannot be used in any other way apart from generating a Denial of Service.

Comment 5 Riccardo Schirone 2018-05-29 16:15:35 UTC
Mitigation:

On Red Hat Enterprise Linux 7 only root has access to /var/run/charon.ctl so you need to be already root to exploit the vulnerability.


Note You need to log in before you can comment on or make changes to this bug.