Bugzilla – Bug 824316
VUL-0: openswan: CVE-2013-2053: remote buffer overflow in atodn()
Last modified: 2013-07-05 12:26:19 UTC
Public via RedHat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=960229 Paul Wouters reports: An audit of code from The Libreswan Project revealed a remote buffer overflow in the atodn() function used by both libreswan, openswan, and older versions of strongswan and superfreeswan when called from atoid() Vulnerable versions: Openswan versions 1.x to 2.6.38 Vulnerability information: When enabling Opportunistic Encryption ("OE") using oe=yes (default is 'no') the IKE daemon pluto requests DNS TXT records to obtain public RSA keys of itself and its peers. These records can contain an IPsec gateway specification containing an fully qualified hostname which is passed to a function atoid(). When X.509 support was added to FreeS/WAN, ASN.1 parsing was added to the function atoid() which converts an ASCII ID representation into an internal struct id representation using a static buffer via the function temporary_cyclic_buffer() While DNS TXT records cannot contain ASN.1 representations, the code mistakenly checked for such interpretation if the DNS TXT FQDN contained an '=' symbol. Since DNS TXT buffers can be larger than what the ASN.1 parsing code expected, parsing such a record can trigger a buffer overflow leading to remote execution of code, specifically when overflowing into the struct kernel_ops which is a table of function pointers. Exploitation: This exploit can only be triggered when the ipsec.conf configuration file enables Opportunistic Encryption via the option 'oe=yes'. If this option is not present, it defaults to 'no'. Configurations that enable "OE" without preconfiguring their own public RSA key in DNS will be under severe connectivity problems leaving the machine with 30 second delay for each outgoing connection - a deployment scenario that is extremely unlikely to appear in the wild. In the unlikely event that machines are configured as such, this vulnerability can only be exploited by a remote attacker controlling the reverse DNS entry for the IP address of the targetted host. If the machine is properly configured for OE, an attacker only needs to trigger a connection to an IP address for which they control the reverse DNS zone where they can place the malicious DNS record. Credits: This vulnerability was found by Florian Weimer of the Red Hat Product Security Team (https://access.redhat.com/security/team/)
Fixes from upstream libreswan.org are available at: http://libreswan.org/security/CVE-2013-2053/ And more details can be found on the libreswan.org mailing list: https://lists.libreswan.org/pipermail/swan-announce/2013/000003.html
bugbot adjusting priority
The following packages are also affected and tracked in separate bugs: Bug 824322 - strongswan Bug 824323 - freeswan
Marius? Are we affected with openswan?
This atodn() problem was addressed in three different CVEs. CVE-2013-2052 Libreswan remote buffer overflow in atodn() http://libreswan.org/security/CVE-2013-2052 For full information regarding openswan, see: http://libreswan.org/security/CVE-2013-2053 (this bug bug#824316) For full information regarding strongswan, see: http://libreswan.org/security/CVE-2013-2054 (bug#824322)
Created attachment 545148 [details] openswan-2.6.16-CVE-2013-2053_1-atodn.bnc824316.patch merged for SLE-11
Created attachment 545149 [details] openswan-2.6.16-CVE-2013-2053_2-x509dn.bnc824316.patch merged for SLE-11
Created attachment 545150 [details] openswan-2.4.4-CVE-2013-2053_1-atodn.bnc824316.patch merged for SLE-10
Created attachment 545151 [details] openswan-2.4.4-CVE-2013-2053_2-x509dn.bnc824316.patch merged for SLE-10
The SWAMPID for this issue is 53188. This issue was rated as important. Please submit fixed packages until 2013-07-02. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: openswan, openswan-debuginfo Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: openswan, openswan-debuginfo, openswan-debugsource, openswan-doc Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: openswan, openswan-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
done
Update released for: openswan, openswan-debuginfo, openswan-debugsource, openswan-doc Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)