strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

secunet

revosec

Hochschule für Technik Rapperswil

strongSwan Denial-of-Service Vulnerability and Potential Authorization Bypass (CVE-2013-6075)

A DoS vulnerability and potential authorization bypass triggered by a crafted ID_DER_ASN1_DN ID payload was discovered in strongSwan. All versions since 4.3.3 are affected.


A crash report from one of our partners lead to the discovery of a DoS vulnerability and potential authorization bypass in strongSwan (CVE-2013-6075). Affected are strongSwan versions 4.3.3 and newer, up to 5.1.0.

The bug can be triggered by a crafted ID_DER_ASN1_DN ID payload and is caused by an insufficient length check when comparing such identities. There are two possible attack vectors targeting this vulnerability.

DoS Attack

A crafted ID payload may be sent to cause memory reads outside the specified boundaries or a NULL dereference. As a result the IKE daemon might crash. As no write operation is performed, it is unlikely that injecting code is possible through this attack.

Authorization Bypass

With a crafted ID payload, an attacker might impersonate a different user and get access to VPN connection profiles it wouldn't have to. This requires, however, that a user gets successfully authenticated with appropriate credentials. It seems quite difficult to construct such an attack, but we can't rule out the possibility at this time.

Fix

The just released strongSwan 5.1.1 fixes this vulnerability. For older releases we provide a patch that fixes the vulnerability in versions 4.3.3 and newer and should apply to all version.