[Announce] DoS vulnerabilities in strongSwan ASN.1 parser

Andreas Steffen andreas.steffen at strongswan.org
Mon Jun 22 10:21:48 CEST 2009


Hello,

applying their fuzzing tool, the Orange Labs vulnerability research team
found another two DoS vulnerabilities, one in the rather old ASN.1
parser of Relative Distinguished Names (RDNs) and a second one in the
conversion of ASN.1 UTCTIME and GENERALIZEDTIME strings. Thus malformed
X.509 certificate RDNs or time strings can cause the IKE pluto and
charon daemons to crash and restart.

Patches for all strongSwan versions are available under the links:

  http://download.strongswan.org/patches/05_asn1_rdn_patch/

  http://download.strongswan.org/patches/06_asn1_time_patch/

These vulnerabilities have been fixed in the following releases:

  strongswan-4.3.2, strongswan-4.2.16, and strongswan-2.8.10

Best regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


More information about the Announce mailing list