Vigil@nce - Openswan: denial of service via KEY_LENGTH
October 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send an ISAKMP message with an invalid KEY_LENGTH
attribute, in order to restart Openswan.
Severity: 2/4
Creation date: 05/10/2011
IMPACTED PRODUCTS
– Fedora
– Openswan
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The Openswan IKE Pluto daemon manages ISAKMP messages, which can
be received from IP addresses allowed in the policy.
When an ISAKMP message contains an invalid KEY_LENGTH attribute,
the ike_alg_enc_ok() function of file programs/pluto/ike_alg.c
detects the error, and then stores an error message at the address
indicated by the "errp" pointer.
However, the parse_isakmp_sa_body() function uses a NULL "errp"
pointer. The ike_alg_enc_ok() function then dereferences this NULL
pointer, which stops the daemon.
An attacker can therefore send an ISAKMP message with an invalid
KEY_LENGTH attribute, in order to restart Openswan.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Openswan-denial-of-service-via-KEY-LENGTH-11038