strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

secunet

revosec

Hochschule für Technik Rapperswil

strongSwan Vulnerability (CVE-2017-9023)

A denial-of-service vulnerability in the x509 plugin was discovered in strongSwan. All versions are affected.


We recently started fuzzing some of our plugins using Google's OSS-Fuzz infrastructure. Among the bugs that were discovered two may lead to  denial-of-service attacks. The one described in this article affects the ASN.1 parser in combination with the x509 plugin, the other the gmp plugin (described in a separate article).

Incorrect Handling of CHOICE types in ASN.1 parser and x509 plugin

ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when parsing X.509 certificates with extensions that use such types. This
could lead to infinite looping of the thread parsing a specifically crafted certificate. Affected are all strongSwan versions up to and including 5.5.2.

CVE-2017-9023 has been assigned for this vulnerability.

Several extensions in X.509 certificates use CHOICE types to allow exactly one of several possible sub-elements. An extension that's defined like this, which strongSwan always supported, is CRLDistributionPoints, where the optional distributionPoint is defined
as follows:

DistributionPointName ::= CHOICE {
        fullName                [0]     GeneralNames,
        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

So it may either be a GeneralName or an RelativeDistinguishedName but not both and one of them must be present if there is a distributionPoint. So far the x509 plugin and ASN.1 parser treated the choices simply as optional elements inside of a loop, without enforcing that exactly one of them was parsed (or that any of them were matched). This lead to the issue that if none of the options were found the parser was stuck in an infinite loop. Other extensions that are affected are ipAddrBlocks (supported since 4.3.6) and CertificatePolicies (since 4.5.1).

A very similar issue, for which no separate CVE is assigned, affects the nameConstraints extension (supported since 4.5.1), where the x509 plugin incorrectly defined a parsing rule with a loop, where there was none defined, so that invalid data could lead to an infinite loop.

Remote code execution is not possible due to these issues.

Credit to OSS-Fuzz for finding this vulnerability, and to Sven Defatsch for setting up the integration and creating the fuzz target.

Fix

Installations that don't have the x509 plugin enabled and loaded are not vulnerable.

The just released strongSwan 5.5.3 fixes this vulnerability. For older releases we provide patches that fix the vulnerability in the respective versions and should apply with appropriate hunk offsets (please note that patches for versions < 4.4.0 are not provided).