Use-after-free vulnerability in the cryptographic helper handler functionality in Openswan 2.3.0 through 2.6.36 allows remote authenticated users to cause a denial of service (pluto IKE daemon crash) via vectors related to the (1) quick_outI1_continue and (2) quick_outI1 functions.

The remote host is running a version of Openswan prior to version 2.6.37. It is, therefore, affected by a remote denial of service vulnerability due to a use-after-free flaw in the cryptographic helper handler. A remote attacker can exploit this issue to cause a denial of service.

A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially crafted IKE packet that would crash the pluto daemon.
This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2011-1422 advisory.

    [2.6.32-4.4]     Resolves: #748969 CVE-2011-4073 updated patch by upstream

    [2.6.32-4.3]     Resolves: #748969 CVE-2011-4073

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services.
These services allow you to build secure tunnels through untrusted networks.

A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially crafted IKE packet that would crash the pluto daemon.
This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled. The helpers are disabled by default on Scientific Linux 5, but enabled by default on Scientific Linux 6. (CVE-2011-4073)

All users of openswan are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
After installing this update, the ipsec service will be restarted automatically.

The remote host is affected by the vulnerability described in GLSA-201203-13 (Openswan: Denial of Service)

    Two vulnerabilities have been found in Openswan:
      Improper permissions are used on /var/run/starter.pid and         /var/lock/subsys/ipsec (CVE-2011-2147).
      Openswan contains a use-after-free error in the cryptographic helper         handler (CVE-2011-4073).
  Impact :

    A remote authenticated attacker or a local attacker may be able to cause       a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

The information security group at ETH Zurich discovered a denial of service vulnerability in the crypto helper handler of the IKE daemon pluto. More information can be found in the upstream advisory.

openswan's crypto helper was prone to an use-after-free flaw which could potentially allow remote attackers to cause a Denial of Service (CVE-2011-4073, bnc#727002). Additionally, a potential dereference of a no longer valid pointer has been fixed.

openswan's crypto helper was prone to an use-after-free flaw which could potentially allow remote attackers to cause a Denial of Service (CVE-2011-4073, bnc#727002). Additionally, the following issues have been fixed :

  - AH handshake problems (bnc#713986),

  - potential dereference of no longer valid pointers,

  - mode handling issues

new upstream release for CVE-2011-4073

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fixes for CVE-2011-4073.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New upstream release for CVE-2011-4073

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 5 / 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2011:1422 advisory.

    Openswan is a free implementation of Internet Protocol Security (IPsec)     and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide     both authentication and encryption services. These services allow you to     build secure tunnels through untrusted networks.

    A use-after-free flaw was found in the way Openswan's pluto IKE daemon used     cryptographic helpers. A remote, authenticated attacker could send a     specially-crafted IKE packet that would crash the pluto daemon. This issue     only affected SMP (symmetric multiprocessing) systems that have the     cryptographic helpers enabled. The helpers are disabled by default on Red     Hat Enterprise Linux 5, but enabled by default on Red Hat Enterprise Linux     6. (CVE-2011-4073)

    Red Hat would like to thank the Openswan project for reporting this issue.
    Upstream acknowledges Petar Tsankov, Mohammad Torabi Dashti and David Basin     of the information security group at ETH Zurich as the original reporters.

    All users of openswan are advised to upgrade to these updated packages,     which contain a backported patch to correct this issue. After installing     this update, the ipsec service will be restarted automatically.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services.
These services allow you to build secure tunnels through untrusted networks.

A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially crafted IKE packet that would crash the pluto daemon.
This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled. The helpers are disabled by default on Red Hat Enterprise Linux 5, but enabled by default on Red Hat Enterprise Linux 6. (CVE-2011-4073)

Red Hat would like to thank the Openswan project for reporting this issue. Upstream acknowledges Petar Tsankov, Mohammad Torabi Dashti and David Basin of the information security group at ETH Zurich as the original reporters.

All users of openswan are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
After installing this update, the ipsec service will be restarted automatically.

ID	Name	Product	Family	Severity
81053	Openswan < 2.6.37 Cryptographic Helper Use-After-Free Remote DoS	Nessus	Misc.	medium
69577	Amazon Linux AMI : openswan (ALAS-2011-18)	Nessus	Amazon Linux Local Security Checks	medium
68381	Oracle Linux 5 / 6 : openswan (ELSA-2011-1422)	Nessus	Oracle Linux Local Security Checks	medium
61167	Scientific Linux Security Update : openswan on SL5.x, SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
58378	GLSA-201203-13 : Openswan: Denial of Service	Nessus	Gentoo Local Security Checks	medium
57514	Debian DSA-2374-1 : openswan - implementation error	Nessus	Debian Local Security Checks	medium
57237	SuSE 10 Security Update : openswan (ZYPP Patch Number 7836)	Nessus	SuSE Local Security Checks	medium
57125	SuSE 11.1 Security Update : openswan (SAT Patch Number 5424)	Nessus	SuSE Local Security Checks	medium
57072	Fedora 16 : openswan-2.6.37-1.fc16 (2011-15196)	Nessus	Fedora Local Security Checks	medium
57071	Fedora 14 : openswan-2.6.33-3.fc14 (2011-15127)	Nessus	Fedora Local Security Checks	medium
57070	Fedora 15 : openswan-2.6.37-1.fc15 (2011-15077)	Nessus	Fedora Local Security Checks	medium
56698	RHEL 5 / 6 : openswan (RHSA-2011:1422)	Nessus	Red Hat Local Security Checks	medium
56694	CentOS 5 : openswan (CESA-2011:1422)	Nessus	CentOS Local Security Checks	medium

Detections

Analytics

CVE-2011-4073

medium

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium