|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Openswan: denial of service via Crypto Helper
Synthesis of the vulnerability
When Openswan uses a Crypto Helper, a remote attacker can interrupt an IKE session, in order to stop the pluto daemon.
Vulnerable products: Debian, Fedora, Openswan, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity of this weakness: 2/4.
Consequences of an attack: denial of service on service.
Hacker's origin: internet client.
Creation date: 02/11/2011.
Références of this bulletin: BID-50440, CVE-2011-4073, DSA-2374-1, FEDORA-2011-15077, FEDORA-2011-15127, FEDORA-2011-15196, MDVSA-2013:231, RHSA-2011:1422-01, SUSE-SU-2011:1310-1, SUSE-SU-2011:1311-1, VIGILANCE-VUL-11112.
Description of the vulnerability
The pluto IKE daemon of Openswan can be configured with Crypto Helpers, which do cryptographic tasks in distinct processes, so the daemon is not slowed down.
A client can connect to the daemon and do an ISAKMP Phase 1 authentication. The phase 2 is then done by a Crypto Helper. However, if the client interrupts his session, the results of the Crypto Helper uses the qke_continuation pointer which points to a recently freed memory area. The memory is thus corrupted by the result of the Crypto Helper.
When Openswan uses a Crypto Helper, a remote attacker can therefore interrupt an IKE session, in order to stop the pluto daemon.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides a computer vulnerability database. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The technology watch team tracks security threats targeting the computer system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.