Openswan 2.6.39 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads.

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2014-035:01 advisory.

    Openswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and     uses strong cryptography to provide both authentication and encryption services. These services allow you     to build secure tunnels through untrusted networks. Everything passing through the untrusted net is     encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The     resulting tunnel is a virtual private network or VPN.
    This package contains the daemons and userland tools for setting up Openswan. It supports the NETKEY/XFRM     IPsec kernel stack that exists in the default Linux kernel.
    Openswan 2.6.x also supports IKEv2 (RFC4306)     Security issues fixed with this release:
     CVE-2013-6466     Openswan 2.6.39 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference     and IKE daemon restart) via IKEv2 packets that lack expected payloads.
    Fixed bugs:
     Previously, when the signature of a Certificate Revocation List started with a zero, the verification     failed. This has been fixed.
     Fixed the order of the load_crls() and load_authcerts_from_nss() functions in the plutomain.c file so     that the IPsec daemon (pluto) no longer fails during startup and loads the CRLs successfully.
     It is now possible to establish an IKE tunnel when the xauth option is enabled and the     leftmodecfgclient option is disabled in the /etc/ipsec.conf file. This previously did not work and has     been fied.
     Previously, Openswan could not establish L2TP connection with devices using NAT-Traversal. This has been     fixed and support for passing traffic selectors to an XFRM IPsec stack for transport mode is now complete.
     Openswan can now use SHA2 algorithms in FIPS mode.
    Enhancements:
     Added support for Internet Key Exchage (IKE) fragmentation.
     Added support for the Internet Key Exchage version 1 (IKEv1) INITIAL-CONTACT IPsec message, as per     RFC2407 Section 4.6.3.3.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201411-07 (Openswan: Denial of Service)

    A NULL pointer dereference has been found in Openswan.
  Impact :

    A remote attacker could create a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Two vulnerabilities were fixed in Openswan, an IKE/IPsec implementation for Linux.

  - CVE-2013-2053     During an audit of Libreswan (with which Openswan shares     some code), Florian Weimer found a remote buffer     overflow in the atodn() function. This vulnerability can     be triggered when Opportunistic Encryption (OE) is     enabled and an attacker controls the PTR record of a     peer IP address. Authentication is not needed to trigger     the vulnerability.

  - CVE-2013-6466     Iustina Melinte found a vulnerability in Libreswan which     also applies to the Openswan code. By carefully crafting     IKEv2 packets, an attacker can make the pluto daemon     dereference non-received IKEv2 payload, leading to the     daemon crash. Authentication is not needed to trigger     the vulnerability.

Patches were originally written to fix the vulnerabilities in Libreswan, and have been ported to Openswan by Paul Wouters from the Libreswan Project.

Since the Openswan package is not maintained anymore in the Debian distribution and is not available in testing and unstable suites, it is recommended for IKE/IPsec users to switch to a supported implementation like strongSwan.

A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service (daemon crash), possibly causing existing VPN connections to be dropped. (CVE-2013-6466)

Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services.
These services allow you to build secure tunnels through untrusted networks.

A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service (daemon crash), possibly causing existing VPN connections to be dropped. (CVE-2013-6466)

All openswan users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2014-0185 advisory.

    - Resolves: rhbz#1050337 (CVE-2013-6466 refix for delete/notify code)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
289752	MiracleLinux 4 : openswan-2.6.32-27.2.0.1.AXS4 (AXSA:2014-035:01)	Nessus	Miracle Linux Local Security Checks	high
79415	GLSA-201411-07 : Openswan: Denial of Service	Nessus	Gentoo Local Security Checks	medium
73293	Debian DSA-2893-1 : openswan - security update	Nessus	Debian Local Security Checks	medium
72951	Amazon Linux AMI : openswan (ALAS-2014-303)	Nessus	Amazon Linux Local Security Checks	medium
72570	Scientific Linux Security Update : openswan on SL5.x, SL6.x i386/x86_64 (20140218)	Nessus	Scientific Linux Local Security Checks	medium
72567	RHEL 5 / 6 : openswan (RHSA-2014:0185)	Nessus	Red Hat Local Security Checks	medium
72565	Oracle Linux 5 / 6 : openswan (ELSA-2014-0185)	Nessus	Oracle Linux Local Security Checks	high
72561	CentOS 5 / 6 : openswan (CESA-2014:0185)	Nessus	CentOS Local Security Checks	medium

Detections

Analytics

CVE-2013-6466

high

Tenable Plugins

high

medium

medium

medium

medium

medium

high

medium