The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Openswan: buffer overflow of atodn

Synthesis of the vulnerability

When Opportunistic Encryption is enabled ("oe=yes"), an attacker can generate a buffer overflow in Openswan, in order to trigger a denial of service, and possibly to execute code.
Severity of this weakness: 2/4.
Creation date: 15/05/2013.
Références of this bulletin: BID-59838, CVE-2013-2053, DSA-2893-1, MDVSA-2013:231, RHSA-2013:0827-01, SUSE-SU-2013:1150-1, VIGILANCE-VUL-12828.

Description of the vulnerability

When Opportunistic Encryption is enabled ("oe=yes"), the IKE pluto daemon queries DNS TXT records, in order to obtain public keys.

These records contain the name of the IPsec gateway. This name is transmitted to the atoid() function, then to atodn(). However, the atodn() function stores the name in a array of three bytes. An overflow thus occurs.

In order to exploit this vulnerability, the attacker has to ask to connect to an IP address for which he can spoof a reverse DNS TXT reply.

An attacker can therefore generate a buffer overflow in Openswan, in order to trigger a denial of service, and possibly to execute code.

This vulnerability has the same origin as VIGILANCE-VUL-12827 and VIGILANCE-VUL-12829.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat bulletin impacts software or systems such as Debian, Openswan, RHEL, SLES.

Our Vigil@nce team determined that the severity of this computer threat bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this computer threat.

Solutions for this threat

Openswan: version 2.6.39.
The version 2.6.39 is fixed:
  http://download.openswan.org/openswan/openswan-2.6.39.tar.gz

Openswan: patch for atodn.
A patch is available:
  http://libreswan.org/security/CVE-2013-2053/

Openswan: workaround for atodn.
A workaround is to disable Opportunistic Encryption in ipsec.conf with "oe=no".

Debian: new openswan packages.
New packages are available:
  Debian 6: openswan 2.6.28+dfsg-5+squeeze2
  Debian 7: openswan 2.6.37-3.1

Mandriva: new openswan packages.
New packages are available:
  openswan-2.6.16-1.1mdvmes5.2

RHEL: new openswan packages.
New packages are available:
  openswan-2.6.32-5.el5_9
  openswan-2.6.32-20.el6_4

SUSE LE: new openswan packages.
New packages are available:
  SUSE LE 11 SP2 : openswan-2.6.16-1.38.1
  SUSE LE 10 SP4 : openswan-2.4.4-18.21.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a networks vulnerabilities note. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.