A DoS vulnerability and potential authorization bypass triggered by a crafted ID_DER_ASN1_DN ID payload was discovered in strongSwan. All versions since 4.3.3 are affected.
A crash report from one of our partners lead to the discovery of a DoS vulnerability and potential authorization bypass in strongSwan (CVE-2013-6075). Affected are strongSwan versions 4.3.3 and newer, up to 5.1.0.
The bug can be triggered by a crafted ID_DER_ASN1_DN ID payload and is caused by an insufficient length check when comparing such identities. There are two possible attack vectors targeting this vulnerability.
A crafted ID payload may be sent to cause memory reads outside the specified boundaries or a NULL dereference. As a result the IKE daemon might crash. As no write operation is performed, it is unlikely that injecting code is possible through this attack.
With a crafted ID payload, an attacker might impersonate a different user and get access to VPN connection profiles it wouldn't have to. This requires, however, that a user gets successfully authenticated with appropriate credentials. It seems quite difficult to construct such an attack, but we can't rule out the possibility at this time.