|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Openswan: buffer overflow of atodn
Synthesis of the vulnerability
When Opportunistic Encryption is enabled ("oe=yes"), an attacker can generate a buffer overflow in Openswan, in order to trigger a denial of service, and possibly to execute code.
Vulnerable products: Debian, Openswan, RHEL, SLES.
Severity of this weakness: 2/4.
Consequences of an attack: user access/rights.
Hacker's origin: intranet client.
Creation date: 15/05/2013.
Références of this bulletin: BID-59838, CVE-2013-2053, DSA-2893-1, MDVSA-2013:231, RHSA-2013:0827-01, SUSE-SU-2013:1150-1, VIGILANCE-VUL-12828.
Description of the vulnerability
When Opportunistic Encryption is enabled ("oe=yes"), the IKE pluto daemon queries DNS TXT records, in order to obtain public keys.
These records contain the name of the IPsec gateway. This name is transmitted to the atoid() function, then to atodn(). However, the atodn() function stores the name in a array of three bytes. An overflow thus occurs.
In order to exploit this vulnerability, the attacker has to ask to connect to an IP address for which he can spoof a reverse DNS TXT reply.
An attacker can therefore generate a buffer overflow in Openswan, in order to trigger a denial of service, and possibly to execute code.
This vulnerability has the same origin as VIGILANCE-VUL-12827 and VIGILANCE-VUL-12829.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides a software vulnerabilities alert. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.