Openswan 2.6.29 through 2.6.35 allows remote attackers to cause a denial of service (NULL pointer dereference and pluto IKE daemon crash) via an ISAKMP message with an invalid KEY_LENGTH attribute, which is not properly handled by the error handling function.

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2011-553:01 advisory.

    Openswan is a free implementation of IPsec & IKE for Linux.  IPsec is the Internet Protocol Security and     uses strong cryptography to provide both authentication and encryption services.  These services allow you     to build secure tunnels through untrusted networks.  Everything passing through the untrusted net is     encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.  The     resulting tunnel is a virtual private network or VPN.
    This package contains the daemons and userland tools for setting up Openswan. It supports the NETKEY/XFRM     IPsec kernel stack that exists in the default Linux kernel.
    Openswan 2.6.x also supports IKEv2 (RFC4306)     CVE-2011-3380     Openswan 2.6.29 through 2.6.35 allows remote attackers to cause a denial of service (NULL pointer     dereference and pluto IKE daemon crash) via an ISAKMP message with an invalid KEY_LENGTH attribute, which     is not properly handled by the error handling function.
    Fixed bugs:
     - Whether the hostname or the ipaddress parameter is configured, Openswan now correctly sets up policies     with the correct protocol and port.
     - Previously, very large security label strings coming from the peer were truncated, then used. This     truncated string could sometimes correspond to a valid string, leading to incorrect policies. This has     been fixed. It also fixes an incorrect handling of the IKE setup
     - Openswan can now be correctly set up in AH mode SAs.
     - IPsec connections over a loopback interface did not work properly when a specific port was configured.
    This has been fixed.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is running a version of Openswan prior to version 2.6.36. It is, therefore, affected by a remote denial of service vulnerability due to a NULL pointer dereference flaw. A remote attacker, using a specially crafted ISAKMP message with an invalid KEY_LENGTH attribute, can cause a denial of service.

A NULL pointer dereference flaw was found in the way Openswan's pluto IKE daemon handled certain error conditions. A remote, unauthenticated attacker could send a specially crafted IKE packet that would crash the pluto daemon.

When an ISAKMP message with an invalid KEY_LENGTH attribute is received, the error handling function crashes on a NULL pointer dereference. Openswan automatically restarts the pluto IKE daemon but all ISAKMP state is lost. This vulnerability does NOT allow an attacker access to the system. This can be used to launch a denial of service attack by sending repeated IKE packets with the invalid key length attribute.

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2011-1356 advisory.

    [2.6.32-4.2]     Resolves: #742069 CVE-2011-3380

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services.
These services allow you to build secure tunnels through untrusted networks.

A NULL pointer dereference flaw was found in the way Openswan's pluto IKE daemon handled certain error conditions. A remote, unauthenticated attacker could send a specially crafted IKE packet that would crash the pluto daemon. (CVE-2011-3380)

All users of openswan are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
After installing this update, the ipsec service will be restarted automatically.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2011:1356 advisory.

    Openswan is a free implementation of Internet Protocol Security (IPsec)     and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide     both authentication and encryption services. These services allow you to     build secure tunnels through untrusted networks.

    A NULL pointer dereference flaw was found in the way Openswan's pluto IKE     daemon handled certain error conditions. A remote, unauthenticated attacker     could send a specially-crafted IKE packet that would crash the pluto     daemon. (CVE-2011-3380)

    Red Hat would like to thank the Openswan project for reporting this issue.
    Upstream acknowledges Paul Wouters as the original reporter.

    All users of openswan are advised to upgrade to these updated packages,     which contain a backported patch to correct this issue. After installing     this update, the ipsec service will be restarted automatically.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
284113	MiracleLinux 4 : openswan-2.6.32-4.2.0.1.AXS4 (AXSA:2011-553:01)	Nessus	Miracle Linux Local Security Checks	high
81052	Openswan < 2.6.36 IKE Packet NULL Pointer Dereference Remote DoS	Nessus	Misc.	medium
78267	Amazon Linux AMI : openswan (ALAS-2011-6)	Nessus	Amazon Linux Local Security Checks	medium
69565	Amazon Linux AMI : openswan (ALAS-2011-06)	Nessus	Amazon Linux Local Security Checks	medium
68365	Oracle Linux 6 : openswan (ELSA-2011-1356)	Nessus	Oracle Linux Local Security Checks	high
61149	Scientific Linux Security Update : openswan on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
56405	RHEL 6 : openswan (RHSA-2011:1356)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2011-3380

high

Tenable Plugins

high

medium

medium

medium

high

medium

high