(Openswan Issues Fix) strongSwan X.509 RDN and Time String Processing Bugs Let Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1022464 |
|
SecurityTracker URL: http://securitytracker.com/id/1022464
|
|
CVE Reference:
CVE-2009-2185
(Links to External Site)
|
Date: Jun 26 2009
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.4 prior to 2.4.15, 2.6 prior to 2.6.22
|
Description:
Two vulnerabilities were reported in strongSwan. A remote user can cause denial of service conditions. Openswan is affected.
A remote user can send specially crafted X.509 certificate Relative Distinguished Name (RDN) data to cause the target pluto IKE daemon to crash and restart.
A remote user can send specially crafted X.509 certificate ASN.1 UTCTIME and GENERALIZEDTIME time strings to cause the target pluto IKE daemon to crash and restart.
Orange Labs vulnerability research team reported these vulnerabilities.
|
Impact:
A remote user can cause the target pluto IKE daemon to crash and restart.
|
Solution:
Openswan has issued a fix (2.4.15, 2.6.22).
The Openswan advisory is available at:
http://www.openswan.org/security/CVE-2009-2185.php
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 25 Jun 2009 23:05:24 -0400
Subject: Openswan
|
http://www.openswan.org/security/CVE-2009-2185.php
CVE-2009-2185
|
|
