Detections
Analytics

GLSA-202405-08 : strongSwan: Multiple Vulnerabilities

critical Nessus Plugin ID 194978

Language:

Description

The remote host is affected by the vulnerability described in GLSA-202405-08 (strongSwan: Multiple Vulnerabilities)

 - The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility. (CVE-2021-41991)

 - In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. (CVE-2021-45079)

 - strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data. (CVE-2022-40617)

 - strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named public for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10. (CVE-2023-26463)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

All strongSwan users should upgrade to the latest version:

 # emerge --sync # emerge --ask --oneshot --verbose >=net-vpn/strongswan-5.9.10

See Also

https://security.gentoo.org/glsa/202405-08

https://bugs.gentoo.org/show_bug.cgi?id=818841

https://bugs.gentoo.org/show_bug.cgi?id=832460

https://bugs.gentoo.org/show_bug.cgi?id=878887

https://bugs.gentoo.org/show_bug.cgi?id=899964

Plugin Details

Severity: Critical

ID: 194978

File Name: gentoo_GLSA-202405-08.nasl

Version: 1.0

Type: local

Published: 5/4/2024

Updated: 5/4/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2021-45079

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2023-26463

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:strongswan, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/4/2024

Vulnerability Publication Date: 10/18/2021

Reference Information

CVE: CVE-2021-41991, CVE-2021-45079, CVE-2022-40617, CVE-2023-26463