Vigil@nce - strongSwan: denial of service via is_asn1
August 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send malicious XAuth/EAP/PEM data to strongSwan,
in order to trigger a denial of service.
Impacted products: openSUSE, Unix (platform)
Severity: 2/4
Creation date: 02/08/2013
DESCRIPTION OF THE VULNERABILITY
The strongSwan product is used to establish a VPN IPsec tunnel
with a Linux system.
The authentication can be configured with XAuth or EAP. The XAuth
username and the EAP identity are transmitted to the
identification_create_from_data() function, which calls the
is_asn1() function to detect if data are in the ASN.1 format.
However, the error code of the asn1_length() sub-function is not
checked. So, if the username starts by ’0’ or ’1’, it is
interpreted as ASN.1 data, but their incorrect size triggers a
read at an invalid memory address.
The is_asn1() is also called to manage PEM files.
An attacker can therefore send malicious XAuth/EAP/PEM data to
strongSwan, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/strongSwan-denial-of-service-via-is-asn1-13194