strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

secunet

revosec

Hochschule für Technik Rapperswil

strongSwan Denial-of-Service Vulnerability (CVE-2014-2891)

A DoS vulnerability triggered by crafted ID payloads was discovered in strongSwan. Versions since 4.3.3 and before 5.1.2 are affected.


Based on a crash report from one of our users we found that strongSwan versions before 5.1.2 are susceptible to a DoS vulnerability. Affected are strongSwan versions 4.3.3 and newer, up to 5.1.1. The latest release (5.1.3) is not affected.

CVE-2014-2891 has been assigned for this vulnerability.

The bug can be triggered by a crafted ID_DER_ASN1_DN ID payload and is caused by a NULL-pointer dereference when such identities are parsed. If the data of the ID payload is exactly two bytes long and the second byte ranges between 0x81 and 0x84 (or 0x88 depending on sizeof(size_t)) logging or comparing the identity will crash the IKE daemon.

This issue was fixed with 5.1.2 but it went unnoticed that it can be exploited remotely in older releases. Remote code execution is not possible due to this vulnerability.

Fix

The latest release (strongSwan 5.1.3) is not vulnerable. For older releases we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets.