Mandriva Linux Security Advisory 2013-231 - Multiple vulnerabilities has been discovered and corrected in openswan. The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the in many distributions and the upstream version, this tool has been disabled. The pluto IKE daemon in Openswan and Strongswan IPsec 2.6 before 2.6.21 and 2.4 before 2.4.14, and Strongswan 4.2 before 4.2.14 and 2.8 before 2.8.9, allows remote attackers to cause a denial of service (daemon crash and restart) via a crafted R_U_THERE_ACK Dead Peer Detection IPsec IKE Notification message that triggers a NULL pointer dereference related to inconsistent ISAKMP state and the lack of a phase2 state association in DPD. Various other issues have also been addressed.
0f0c4fba4c575d9921bf3f0995946218-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2013:231
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : openswan
Date : September 12, 2013
Affected: Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in openswan:
The IPSEC livetest tool in Openswan 2.4.12 and earlier, and
2.6.x through 2.6.16, allows local users to overwrite arbitrary
files and execute arbitrary code via a symlink attack on the (1)
ipseclive.conn and (2) ipsec.olts.remote.log temporary files. NOTE:
in many distributions and the upstream version, this tool has been
disabled (CVE-2008-4190).
The pluto IKE daemon in Openswan and Strongswan IPsec 2.6 before 2.6.21
and 2.4 before 2.4.14, and Strongswan 4.2 before 4.2.14 and 2.8 before
2.8.9, allows remote attackers to cause a denial of service (daemon
crash and restart) via a crafted (1) R_U_THERE or (2) R_U_THERE_ACK
Dead Peer Detection (DPD) IPsec IKE Notification message that triggers
a NULL pointer dereference related to inconsistent ISAKMP state and
the lack of a phase2 state association in DPD (CVE-2009-0790).
The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c,
libstrongswan/asn1/asn1_parser.c) in (a) strongSwan 2.8 before 2.8.10,
4.2 before 4.2.16, and 4.3 before 4.3.2; and (b) openSwan 2.6 before
2.6.22 and 2.4 before 2.4.15 allows remote attackers to cause a denial
of service (pluto IKE daemon crash) via an X.509 certificate with (1)
crafted Relative Distinguished Names (RDNs), (2) a crafted UTCTIME
string, or (3) a crafted GENERALIZEDTIME string (CVE-2009-2185).
Use-after-free vulnerability in the cryptographic helper handler
functionality in Openswan 2.3.0 through 2.6.36 allows remote
authenticated users to cause a denial of service (pluto IKE daemon
crash) via vectors related to the (1) quick_outI1_continue and (2)
quick_outI1 functions (CVE-2011-4073).
Buffer overflow in the atodn function in Openswan before 2.6.39,
when Opportunistic Encryption is enabled and an RSA key is being
used, allows remote attackers to cause a denial of service (pluto IKE
daemon crash) and possibly execute arbitrary code via crafted DNS TXT
records. NOTE: this might be the same vulnerability as CVE-2013-2052
and CVE-2013-2054 (CVE-2013-2053).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4190
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4073
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2053
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
2596b7d865d78472fe5b88657f79731e mes5/i586/openswan-2.6.16-1.1mdvmes5.2.i586.rpm
631e3fb722ca66a7abf7931632977459 mes5/i586/openswan-doc-2.6.16-1.1mdvmes5.2.i586.rpm
77873db1e0ff1bad0873896bb98bbaea mes5/SRPMS/openswan-2.6.16-1.1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
9f41766ae39be4d95ad267ac4c9f76dd mes5/x86_64/openswan-2.6.16-1.1mdvmes5.2.x86_64.rpm
788a2afca1e8cc38ca7eb9e1c146c573 mes5/x86_64/openswan-doc-2.6.16-1.1mdvmes5.2.x86_64.rpm
77873db1e0ff1bad0873896bb98bbaea mes5/SRPMS/openswan-2.6.16-1.1mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFSMXa3mqjQ0CJFipgRArf7AKDRd3G09pBWMkDmXQBVLsIyICg4TACfYdkC
8X4IyuSYdIn4Q688lB08ZMs=
=LfBS
-----END PGP SIGNATURE-----
© 2015 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!