Blog

Release and vulnerability announcements for strongSwan

strongSwan Vulnerability (CVE-2021-41990)

A denial-of-service vulnerability in the gmp plugin was discovered in strongSwan. All versions since 5.6.1 are affected.

Researchers at the NSA discovered an integer overflow bug in the gmp plugin that may lead to a denial-of-service attack. All versions since 5.6.1 are affected if the plugin is enabled and loaded.

Integer Overflow in gmp Plugin

RSASSA-PSS signatures whose parameters define a very high salt length can trigger an integer overflow that can lead to a segmentation fault.

CVE-2021-41990 has been assigned for this vulnerability.

With strongSwan 5.6.1, support for RSASSA-PSS signatures was added. The parameters field of the algorithmIdentifier structure of such signatures
contains information such as the hash algorithm and the salt length used for the signature. The gmp plugin assigns the parsed salt length to the size_t len field of a chunk_t, and then uses that value to verify that the signature has the correct structure. It initially uses the formula from RFC 8017, section 9.1.2:

em.len < (hash.len + salt.len + 2)

Where em.len is the length of the decrypted signature value, the other two the respective length of the hash and salt. If the provided salt length is very high (e.g. 264-1), this will cause an integer overflow, bypassing this check. The length of the salt is later used when verifying the padding in the decrypted signature and if that check is passed (requires a correspondingly crafted signature value), there will eventually be an attempt to use the length in a memcpy() call, which causes a segmentation fault.

Note that generating a signature that bypasses the padding check to trigger the crash requires access to the private key that signed the certificate. However, the certificate does not have to be trusted. Because the x509 and the openssl plugins both check if a parsed certificate is self-signed (and the signature is valid), this can e.g. be triggered by an unrelated self-signed CA certificate sent by an initiator.

Remote code execution is not possible due to this issue.

As mentioned in the introduction, credit to the researchers at the NSA for finding this vulnerability.

Mitigation

Since only the gmp plugin is affected, installations that don't have this plugin enabled and loaded are not vulnerable.

The just released strongSwan 5.9.4 fixes this vulnerability. For older releases we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets.