strongSwan X.509 RDN and Time String Processing Bugs Let Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1022428
|
|
SecurityTracker URL: http://securitytracker.com/id?1022428
|
|
CVE Reference: CVE-2009-2185
(Links to External Site)
|
Updated: Jun 26 2009
|
Original Entry Date: Jun 22 2009
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.2.0 - 2.8.9, 4.3.0 - 4.3.1, 4.0.0 - 4.2.15
|
Description: Two vulnerabilities were reported in strongSwan. A remote user can cause denial of service conditions.
A remote user can send specially crafted X.509 certificate Relative Distinguished Name (RDN) data to cause the target pluto IKE daemon
to crash and restart.
A remote user can send specially crafted X.509 certificate ASN.1 UTCTIME and GENERALIZEDTIME time strings
to cause the target pluto IKE daemon to crash and restart.
Orange Labs vulnerability research team reported these vulnerabilities.
|
Impact: A remote user can cause the target pluto IKE daemon to crash and restart.
|
Solution: The vendor has issued patches, available at:
http://download.strongswan.org/patches/05_asn1_rdn_patch/
http://download.strongswan.org/patches/06_asn1_time_patch/
|
Vendor URL: www.strongswan.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 22 Jun 2009 09:41:18 -0400
Subject: StrongSwan
|
http://download.strongswan.org/patches/05_asn1_rdn_patch/
http://download.strongswan.org/patches/06_asn1_time_patch/
|
|
