[Announce] ANNOUNCE: strongswan-2.7.2 fixes potential DoS vulnerability

Andreas Steffen andreas.steffen at strongswan.org
Thu Jun 22 20:02:49 CEST 2006 

Description of vulnerability:
----------------------------

The mixed PSK/RSA roadwarrior detection capability introduced by the
strongswan-2.7.0 release necessitated the pre-parsing of the IKE
proposal payloads by the responder right before any defined IKE Main
Mode state had been established. Although any form of bad proposal
syntax was being correctly detected by the payload parser, the
subsequent error handler didn't check the state pointer before logging
current state information, thus causing an immediate crash of the pluto
keying daemon due to a NULL pointer.

Action:
------

If you are using strongSwan versions 2.7.0 or 2.7.1, then I strongly
urge you to update to the 2.7.2 release which fixes this vulnerability
to malformed proposal payloads that could otherwise be potentially
exploited by Denial-of-Service attacks.

strongswan-2.7.2 can be downloaded from

  http://www.strongswan.org/

As an alternative you can apply the attached patch to 2.7.0 or 2.7.1.

Kind regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute of Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
--- strongswan-2.7.1/programs/pluto/demux.c	2005-02-18 22:08:59.000000000 +0100
+++ strongswan/programs/pluto/demux.c	2006-06-22 13:58:25.000000000 +0200
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: demux.c,v 1.13 2005/02/18 21:08:59 as Exp $
+ * RCSID $Id: demux.c,v 1.14 2006/06/22 11:58:25 as Exp $
  */
 
 /* Ordering Constraints on Payloads
@@ -2397,7 +2397,8 @@
 	     * whatever retrying was in place, remains in place.
 	     */
 	    whack_log(RC_NOTIFICATION + md->note
-		, "%s: %s", enum_name(&state_names, st->st_state)
+		, "%s: %s"
+		, enum_name(&state_names, (st == NULL)? STATE_MAIN_R0:st->st_state)
 		, enum_name(&notification_names, md->note));
 
 	    SEND_NOTIFICATION(md->note);

More information about the Announce mailing list