Bug 870572 (CVE-2014-2338) - VUL-0: CVE-2014-2338: strongswan: authentication bypass in IKEv2
Summary: VUL-0: CVE-2014-2338: strongswan: authentication bypass in IKEv2
Status: RESOLVED FIXED
Alias: CVE-2014-2338
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2014-04-03
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle10-sp3:56872 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-27 10:26 UTC by Marcus Meissner
Modified: 2015-02-19 01:49 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Swamp Workflow Management 2014-03-27 12:39:57 UTC 
The SWAMPID for this issue is 56817.
This issue was rated as important.
Please submit fixed packages until 2014-04-03.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 SMASH SMASH 2014-03-27 12:40:10 UTC 
Affected packages:

SLE-11-SP3: strongswan
SLE-10-SP3-TERADATA: strongswan
Comment 7 Swamp Workflow Management 2014-03-27 23:00:24 UTC 
bugbot adjusting priority
Comment 16 Alexander Bergmann 2014-04-15 06:54:32 UTC 
Public via strongswan.org:

http://www.strongswan.org/blog/2014/04/14/strongswan-authentication-bypass-vulnerability-%28cve-2014-2338%29.html

strongSwan Authentication Bypass Vulnerability (CVE-2014-2338)
----------
Abstract:
An authentication bypass vulnerability was discovered in strongSwan. It can be triggered by rekeying an unestablished IKEv2 SA while it gets actively initiated. All versions since 4.0.7 are affected.
----------
Comment 17 Bernhard Wiedemann 2014-04-15 07:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (870572) was mentioned in
https://build.opensuse.org/request/show/230120 13.1 / strongswan
https://build.opensuse.org/request/show/230121 12.3 / strongswan
https://build.opensuse.org/request/show/230123 Factory / strongswan
Comment 18 Swamp Workflow Management 2014-04-15 10:05:10 UTC 
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 19 Swamp Workflow Management 2014-04-15 10:05:27 UTC 
Update released for: strongswan, strongswan-debuginfo, strongswan-doc
Products:
SLE-DEBUGINFO 10-SP3-TERADATA (x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 20 Swamp Workflow Management 2014-04-15 13:47:48 UTC 
Update released for: strongswan, strongswan-debuginfo, strongswan-doc
Products:
SLE-DEBUGINFO 10-SP4 (i386, s390x, x86_64)
SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)
Comment 21 Swamp Workflow Management 2014-04-15 13:48:38 UTC 
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc
Products:
SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64)
SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
Comment 22 Swamp Workflow Management 2014-04-15 13:50:22 UTC 
Update released for: strongswan, strongswan-debuginfo, strongswan-doc
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 23 Swamp Workflow Management 2014-04-15 13:51:13 UTC 
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 24 Swamp Workflow Management 2014-04-15 15:48:50 UTC 
Update released for: strongswan, strongswan-debuginfo, strongswan-debugsource, strongswan-doc
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 25 Swamp Workflow Management 2014-04-15 19:04:25 UTC 
SUSE-SU-2014:0529-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 870572
CVE References: CVE-2014-2338
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    strongswan-4.4.0-6.23.1
SUSE Linux Enterprise Server 11 SP3 (src):    strongswan-4.4.0-6.23.1
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    strongswan-4.4.0-6.23.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    strongswan-4.4.0-6.23.1
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    strongswan-4.4.0-6.17.1
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    strongswan-4.1.10-0.20.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    strongswan-4.4.0-6.23.1
Comment 26 Alexander Bergmann 2014-04-16 07:50:47 UTC 
Fixed and released. Closing Bug.
Comment 27 Bernhard Wiedemann 2014-05-08 16:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (870572) was mentioned in
https://build.opensuse.org/request/show/233099 13.1 / strongswan
Comment 28 Bernhard Wiedemann 2014-05-08 17:00:13 UTC 
This is an autogenerated message for OBS integration:
This bug (870572) was mentioned in
https://build.opensuse.org/request/show/233100 12.3 / strongswan
Comment 29 Bernhard Wiedemann 2014-05-14 08:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (870572) was mentioned in
https://build.opensuse.org/request/show/233820 12.3 / strongswan
https://build.opensuse.org/request/show/233823 13.1 / strongswan
Comment 30 Swamp Workflow Management 2014-05-22 10:04:22 UTC 
openSUSE-SU-2014:0697-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 870572,876449
CVE References: CVE-2014-2338,CVE-2014-2891
Sources used:
openSUSE 13.1 (src):    strongswan-5.1.1-4.1
openSUSE 12.3 (src):    strongswan-5.0.1-4.16.1