This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can dereference a NULL pointer during the processing
of IKEv1 packets by strongSwan, in order to trigger a denial of
service.

Impacted products : Unix (platform)

Severity : 2/4

Creation date : 05/11/2013

DESCRIPTION OF THE VULNERABILITY

The strongSwan product is used to establish a VPN IPsec tunnel
with a Linux system.

An IKEv1 (Internet Key Exchange) message can be fragmented.
However, the handle_fragment() function of the
src/libcharon/sa/ikev1/task_manager_v1.c file does not check if a
pointer is NULL, before using it.

An attacker can therefore dereference a NULL pointer during the
processing of IKEv1 packets by strongSwan, in order to trigger a
denial of service.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/strongSwan-NULL-pointer-dereference-via-IKEv1-13706