The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Openswan: buffer overflow of client via XAUTH Cisco

Synthesis of the vulnerability

An attacker can invite the victim to connect to a malicious gateway with XAUTH Cisco, in order to execute code on his computer.
Severity of this announce: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/09/2010.
Références of this computer vulnerability: BID-43588, CVE-2010-3302, CVE-2010-3308, CVE-2010-3752, CVE-2010-3753, FEDORA-2010-15381, FEDORA-2010-15508, FEDORA-2010-15516, RHSA-2010:0892-01, VIGILANCE-VUL-9979.

Description of the vulnerability

The Openswan client can be configured to connect to a Cisco compatible gateway with XAUTH. The configuration thus contains "*xauthclient=yes" and "remote_peer_type=cisco". In this configuration, the Openswan client is impacted by two vulnerabilities.

The gateway can send long cisco_dns_info and cisco_domain_info fields, in order to generate a buffer overflow in the Openswan client. [severity:3/4; CVE-2010-3302, CVE-2010-3752]

The gateway can send a long cisco_banner field, in order to generate a buffer overflow in the Openswan client. [severity:3/4; CVE-2010-3308, CVE-2010-3753]

An attacker can therefore invite the victim to connect to a malicious gateway with XAUTH Cisco, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

This computer vulnerability alert impacts software or systems such as Fedora, Openswan, RHEL.

Our Vigil@nce team determined that the severity of this computer threat alert is important.

The trust level is of type confirmed by the editor, with an origin of intranet client.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this security vulnerability.

Solutions for this threat

Openswan: version 2.6.29.
Version 2.6.29 is corrected:
  http://www.openswan.org/download/openswan-2.6.29.tar.gz

Fedora: new openswan packages.
New packages are available:
  openswan-2.6.29-1.fc12
  openswan-2.6.29-1.fc13
  openswan-2.6.29-1.fc14

RHEL 6.0: new openswan packages.
New packages are available:
  openswan-2.6.24-8.el6_0.1
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer vulnerability announce. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.