Release and vulnerability announcements for strongSwan

strongSwan 5.6.3 Released

We are happy to announce the release of strongSwan 5.6.3, which improves certificate chain validation, updates the DHCP plugin, allows forcing the local termination of IKE_SAs, supports trap policies with virtual IPs, and fixes two potential DoS vulnerabilities and several other issues.

Denial-of-Service Vulnerability in the IKEv2 key derivation (CVE-2018-10811)

A denial-of-service vulnerability in the IKEv2 key derivation was fixed if the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF (which is not FIPS-compliant). So this should only affect very specific setups, but in such configurations all strongSwan versions since 5.0.1 may be affected.

More information is provided in a separate blog entry.

Denial-of-Service Vulnerability in the stroke plugin (CVE-2018-5388)

A denial-of-service vulnerability in the stroke plugin was fixed. When reading a message from the socket the plugin did not check the received length. Unless a group is configured, root privileges are required to access that socket, so in the default configuration this shouldn't be an issue, but all strongSwan versions may be affected.

More information is provided in a separate blog entry.

Certificate Chain Validation Fixes

Several issues affecting strongSwan's certificate chain validation were fixed in response to findings by BSI's Certification Path Validation Test Tool (CPT).

CRLs that are not yet valid are now ignored to avoid problems in scenarios where expired certificates are removed from new CRLs and the clock on the host doing the revocation check is trailing behind that of the host issuing CRLs. Not doing this could result in accepting a revoked and expired certificate, if it's still valid according to the trailing clock but not contained anymore in not yet valid CRLs.

CRL validation results other than revocation (e.g. a skipped check because the CRL couldn't be fetched) are now stored also for intermediate CA certificates and not only for end-entity certificates, so a strict CRL policy can be enforced in such cases.

Also added is a check that makes sure the issuer of fetched CRLs matches that of the checked certificate (this issue wasn't reported by the CPT).

In compliance with RFC 4945, section, certificates used for IKE must now either not contain a keyUsage extension (like the ones generated by pki), or have at least one of the digitalSignature or nonRepudiation bits set.

DHCP Plugin Improvements

The dhcp plugin now only sends the client identifier DHCP option if the identity_lease setting is enabled, because DHCP servers often treat the option the same way as a MAC address based on the client's identity.

The plugin can also send client identities of up to 255 bytes length, instead of the previous 64 bytes, which should improve the behavior if client's use their certificate's subject DN as identity.

Also, if a server address is configured, DHCP requests are now sent from port 67 instead of 68 to avoid ICMP port unreachables.

Options to Force Local Termination of IKE_SAs

New options for vici and swanctl allow forcing the local termination of an IKE_SA. This might be useful in situations where it's known the other end is not reachable anymore, or that it already removed the IKE_SA, so retransmitting a DELETE and waiting for a response would be pointless.

Waiting only a certain amount of time for a response (i.e. shorter than all retransmits would be) before destroying the IKE_SA is also possible by additionally specifying a timeout in the forced termination request.

Using Trap Policies with Virtual IPs on Linux

When removing routes, the kernel-netlink plugin now checks if it tracks other routes for the same destination and replaces the installed route instead of just removing it. Same during installation, where existing routes previously weren't replaced. This should allow using traps with virtual IPs on Linux.

Other Notable Features and Fixes

Download Complete Changelog