strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

secunet

revosec

Hochschule für Technik Rapperswil

strongSwan Denial-of-Service Vulnerability (CVE-2014-9221)

A DoS vulnerability triggered by an IKEv2 Key Exchange payload containing DH group 1025 was discovered in strongSwan. All versions since 4.5.0 are affected.


One of our users privately reported a denial-of-service vulnerability in strongSwan. Affected are strongSwan versions 4.5.0 and newer, up to 5.2.1.

CVE-2014-9221 has been assigned for this vulnerability.

The bug can be triggered by an IKEv2 Key Exchange (KE) payload that contains the Diffie-Hellman (DH) group 1025. This identifier is from the private-use range and only used internally by libtls for DH groups with custom generator and prime (MODP_CUSTOM). As such the instantiated DH implementation expects that these two values are passed to the constructor. This is not the case when a DH object is created based on the group in the KE payload. Therefore, an invalid pointer is dereferenced later, which causes a segmentation fault. This means that the IKE daemon can be crashed with a single IKE_SA_INIT message containing such a KE payload.

Remote code execution is not possible due to this issue, nor is IKEv1 affected in charon or pluto.

Many thanks to Mike Daskalakis for reporting the issue responsibly.

Fix

The just released strongSwan 5.2.2 fixes this vulnerability. For older releases we provide patches that fix the vulnerability and should apply with appropriate hunk offsets.