Severity: 2/4

Consequences: denial of service of service

Provenance: intranet client

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Number of vulnerabilities in this bulletin: 2

Creation date: 22/06/2009

Revision date: 23/06/2009

IMPACTED PRODUCTS

 Openswan
 Unix - plateform

DESCRIPTION OF THE VULNERABILITY

The Openswan/strongSwan product implements IPsec for Linux. The ASN.1 format is used by X.509 certificates.

A RDN (Relative Distinguished Name) indicates the unique name of an object in a local context. ASN.1 decoding functions do not check the size of the RDN. An attacker can therefore use a malicious RDN in order to generate a denial of service and eventually to execute code. [grav:2/4]

The ASN.1 UTCTIME and GENERALIZEDTIME types represent a date as a string such as "19991231235959" or "19991231235959.999". Decoding functions use sscanf() to analyze the string. However, the return code of sscanf() is not checked. A malicious string thus generates a fatal error. [grav:2/4]

An attacker can therefore send malformed ASN.1 data in order to stop Openswan or strongSwan.

CHARACTERISTICS

Identifiers: BID-35452, CVE-2009-2185, VIGILANCE-VUL-8814

http://vigilance.fr/vulnerability/Openswan-strongSwan-denials-of-service-of-ASN-1-8814