Vigil@nce - strongSwan : NULL pointer dereference via IKEv1
novembre 2013 par Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can dereference a NULL pointer during the processing
of IKEv1 packets by strongSwan, in order to trigger a denial of
service.
Impacted products : Unix (platform)
Severity : 2/4
Creation date : 05/11/2013
DESCRIPTION OF THE VULNERABILITY
The strongSwan product is used to establish a VPN IPsec tunnel
with a Linux system.
An IKEv1 (Internet Key Exchange) message can be fragmented.
However, the handle_fragment() function of the
src/libcharon/sa/ikev1/task_manager_v1.c file does not check if a
pointer is NULL, before using it.
An attacker can therefore dereference a NULL pointer during the
processing of IKEv1 packets by strongSwan, in order to trigger a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/strongSwan-NULL-pointer-dereference-via-IKEv1-13706