The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Openswan: denial of service via Crypto Helper

Synthesis of the vulnerability

When Openswan uses a Crypto Helper, a remote attacker can interrupt an IKE session, in order to stop the pluto daemon.
Severity of this weakness: 2/4.
Creation date: 02/11/2011.
Références of this bulletin: BID-50440, CVE-2011-4073, DSA-2374-1, FEDORA-2011-15077, FEDORA-2011-15127, FEDORA-2011-15196, MDVSA-2013:231, RHSA-2011:1422-01, SUSE-SU-2011:1310-1, SUSE-SU-2011:1311-1, VIGILANCE-VUL-11112.

Description of the vulnerability

The pluto IKE daemon of Openswan can be configured with Crypto Helpers, which do cryptographic tasks in distinct processes, so the daemon is not slowed down.

A client can connect to the daemon and do an ISAKMP Phase 1 authentication. The phase 2 is then done by a Crypto Helper. However, if the client interrupts his session, the results of the Crypto Helper uses the qke_continuation pointer which points to a recently freed memory area. The memory is thus corrupted by the result of the Crypto Helper.

When Openswan uses a Crypto Helper, a remote attacker can therefore interrupt an IKE session, in order to stop the pluto daemon.
Full Vigil@nce bulletin... (Free trial)

This threat bulletin impacts software or systems such as Debian, Fedora, Openswan, RHEL, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this computer threat bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this computer threat.

Solutions for this threat

Openswan: version 2.6.37.
The version 2.6.37 is corrected:
  http://www.openswan.org/download/openswan-2.6.37.tar.gz

Openswan: patch for Crypto Helper.
A patch is available in information sources.

Openswan: workaround for Crypto Helper.
A workaround is to disable Crypto Helper in ipsec.conf :
  config setup
    nhelpers=0

Debian: new openswan packages.
New packages are available:
  openswan 1:2.4.12+dfsg-1.3+lenny4
  openswan 1:2.6.28+dfsg-5+squeeze1

Fedora: new openswan packages.
New packages are available:
  openswan-2.6.33-3.fc14
  openswan-2.6.37-1.fc15
  openswan-2.6.37-1.fc16

Mandriva: new openswan packages.
New packages are available:
  openswan-2.6.16-1.1mdvmes5.2

RHEL 5, 6: new openswan packages.
New packages are available:
  openswan-2.6.21-5.el5_7.6
  openswan-2.6.32-4.el6_1.4

SUSE LE: new openswan packages.
New packages are available:
  SUSE Linux Enterprise Server 10 SP4 : openswan-2.4.4-18.19.1
  SUSE Linux Enterprise Server 11 SP1 : openswan-2.6.16-1.36.1
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a system vulnerability bulletin. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.