Openswan 2.6.39 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads.

The remote host is affected by the vulnerability described in GLSA-201411-07 (Openswan: Denial of Service)

    A NULL pointer dereference has been found in Openswan.
  Impact :

    A remote attacker could create a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Two vulnerabilities were fixed in Openswan, an IKE/IPsec implementation for Linux.

  - CVE-2013-2053     During an audit of Libreswan (with which Openswan shares     some code), Florian Weimer found a remote buffer     overflow in the atodn() function. This vulnerability can     be triggered when Opportunistic Encryption (OE) is     enabled and an attacker controls the PTR record of a     peer IP address. Authentication is not needed to trigger     the vulnerability.

  - CVE-2013-6466     Iustina Melinte found a vulnerability in Libreswan which     also applies to the Openswan code. By carefully crafting     IKEv2 packets, an attacker can make the pluto daemon     dereference non-received IKEv2 payload, leading to the     daemon crash. Authentication is not needed to trigger     the vulnerability.

Patches were originally written to fix the vulnerabilities in Libreswan, and have been ported to Openswan by Paul Wouters from the Libreswan Project.

Since the Openswan package is not maintained anymore in the Debian distribution and is not available in testing and unstable suites, it is recommended for IKE/IPsec users to switch to a supported implementation like strongSwan.

A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service (daemon crash), possibly causing existing VPN connections to be dropped. (CVE-2013-6466)

Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services.
These services allow you to build secure tunnels through untrusted networks.

A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service (daemon crash), possibly causing existing VPN connections to be dropped. (CVE-2013-6466)

All openswan users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.

From Red Hat Security Advisory 2014:0185 :

Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services.
These services allow you to build secure tunnels through untrusted networks.

A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service (daemon crash), possibly causing existing VPN connections to be dropped. (CVE-2013-6466)

All openswan users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.

ID	Name	Product	Family	Severity
79415	GLSA-201411-07 : Openswan: Denial of Service	Nessus	Gentoo Local Security Checks	medium
73293	Debian DSA-2893-1 : openswan - security update	Nessus	Debian Local Security Checks	medium
72951	Amazon Linux AMI : openswan (ALAS-2014-303)	Nessus	Amazon Linux Local Security Checks	medium
72570	Scientific Linux Security Update : openswan on SL5.x, SL6.x i386/x86_64 (20140218)	Nessus	Scientific Linux Local Security Checks	medium
72567	RHEL 5 / 6 : openswan (RHSA-2014:0185)	Nessus	Red Hat Local Security Checks	medium
72565	Oracle Linux 5 / 6 : openswan (ELSA-2014-0185)	Nessus	Oracle Linux Local Security Checks	medium
72561	CentOS 5 / 6 : openswan (CESA-2014:0185)	Nessus	CentOS Local Security Checks	medium

Detections

Analytics

CVE-2013-6466

high

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium