Libreswan dereferencing missing IKEv2 payloads

2014.01.27
Credit: Iustina Melinte
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2013-6467
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Release date: Wed Jan 15, 2014 Subject: CVE-2013-6467 Libreswan dereferencing missing IKEv2 payloads causes restart URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-6467 This alert (and any possible updates) is available at the following URLs: https://libreswan.org/security/CVE-2013-6467/ The Libreswan Project was notified by Iustina Melinte of a vulnerability regarding dereferencing of non-received IKEv2 payloads. This allows a malicious non-authenticated remote user to cause the libreswan IKE daemon to restart. Vulnerable versions: libreswan up to version 3.7 Not vulnerable : libreswan 3.8 If you cannot upgrade to 3.8, please see the above link for a patch for this issue. All versions of openswan including 2.6.39 are also vulnerable to this bug, see CVE-2013-6466 CVSS2 score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Vulnerability information -------------------------- Iustina Melinte used a custom IKE fuzzer to test libreswan. By withholding or renumbering certain IKEv2 payloads, the pluto IKE daemon crashes while trying to dereference a NULL pointer on the presumably received payload. Configurations that only allow IKEv1 are not vulnerable. Exploitation ------------- This denial of service can be launched by anyone using a few mangled IKEv2 packets. No authentication credentials are required. No remote code execution is possible through this vulnerability. Libreswan automatically restarts when it crashes. Workaround ----------- When not requiring or using IKEv2, adding the keyword ikev2=never to all connections enforced that only IKEv1 can be used. This prevents the vulnerable code from being called. The default value for ikev2= is "yes", meaning that IKEv2 is allowed and the vulnerable code can be triggered resulting in a Denial-of-Service. Credits -------- This vulnerability was found by Iustina Melinte. The Libreswan Project is especially thankful for Iustina's assistance with the IKE fuzzer software. About libreswan (https://libreswan.org/) ----------------------------------------- Libreswan is a free implementation of the Internet Protocol Security (IPsec) suite and Internet Key Exchange (IKE) protocols. It is a descendant (fork) of openswan 2.6.38. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN).

References:

https://libreswan.org/security/CVE-2013-6467/CVE-2013-6467.txt
http://xforce.iss.net/xforce/xfdb/90522
http://www.securityfocus.com/bid/64987
http://secunia.com/advisories/56420
http://osvdb.org/102172


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top