Vulnerabilities > CVE-2013-2053 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Xelerance Openswan
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Buffer overflow in the atodn function in Openswan before 2.6.39, when Opportunistic Encryption is enabled and an RSA key is being used, allows remote attackers to cause a denial of service (pluto IKE daemon crash) and possibly execute arbitrary code via crafted DNS TXT records. NOTE: this might be the same vulnerability as CVE-2013-2052 and CVE-2013-2054.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20130515_OPENSWAN_ON_SL5_X.NASL description A buffer overflow flaw was found in Openswan. If Opportunistic Encryption were enabled ( last seen 2020-03-18 modified 2013-05-16 plugin id 66462 published 2013-05-16 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66462 title Scientific Linux Security Update : openswan on SL5.x, SL6.x i386/x86_64 (20130515) NASL family SuSE Local Security Checks NASL id SUSE_OPENSWAN-8627.NASL description This openswan update fixes a remote buffer overflow issue. (bnc#824316 / CVE-2013-2053) last seen 2020-06-05 modified 2013-07-06 plugin id 67199 published 2013-07-06 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67199 title SuSE 10 Security Update : openswan (ZYPP Patch Number 8627) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201401-09.NASL description The remote host is affected by the vulnerability described in GLSA-201401-09 (Openswan: User-assisted execution of arbitrary code) A buffer overflow flaw has been discovered in Openswan when using Opportunistic Encryption. Impact : A remote attacker could send a specially crafted DNS TXT record, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 72017 published 2014-01-20 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72017 title GLSA-201401-09 : Openswan: User-assisted execution of arbitrary code NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0827.NASL description Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. When using Opportunistic Encryption, Openswan last seen 2020-06-01 modified 2020-06-02 plugin id 66459 published 2013-05-16 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66459 title RHEL 5 / 6 : openswan (RHSA-2013:0827) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-0827.NASL description From Red Hat Security Advisory 2013:0827 : Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. When using Opportunistic Encryption, Openswan last seen 2020-06-01 modified 2020-06-02 plugin id 68822 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68822 title Oracle Linux 5 / 6 : openswan (ELSA-2013-0827) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-0827.NASL description Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. When using Opportunistic Encryption, Openswan last seen 2020-06-01 modified 2020-06-02 plugin id 66451 published 2013-05-16 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66451 title CentOS 5 / 6 : openswan (CESA-2013:0827) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2893.NASL description Two vulnerabilities were fixed in Openswan, an IKE/IPsec implementation for Linux. - CVE-2013-2053 During an audit of Libreswan (with which Openswan shares some code), Florian Weimer found a remote buffer overflow in the atodn() function. This vulnerability can be triggered when Opportunistic Encryption (OE) is enabled and an attacker controls the PTR record of a peer IP address. Authentication is not needed to trigger the vulnerability. - CVE-2013-6466 Iustina Melinte found a vulnerability in Libreswan which also applies to the Openswan code. By carefully crafting IKEv2 packets, an attacker can make the pluto daemon dereference non-received IKEv2 payload, leading to the daemon crash. Authentication is not needed to trigger the vulnerability. Patches were originally written to fix the vulnerabilities in Libreswan, and have been ported to Openswan by Paul Wouters from the Libreswan Project. Since the Openswan package is not maintained anymore in the Debian distribution and is not available in testing and unstable suites, it is recommended for IKE/IPsec users to switch to a supported implementation like strongSwan. last seen 2020-03-17 modified 2014-04-02 plugin id 73293 published 2014-04-02 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73293 title Debian DSA-2893-1 : openswan - security update NASL family SuSE Local Security Checks NASL id SUSE_11_OPENSWAN-130625.NASL description This openswan update fixes a remote buffer overflow issue. (bnc#824316 / CVE-2013-2053) last seen 2020-06-05 modified 2013-07-06 plugin id 67197 published 2013-07-06 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67197 title SuSE 11.2 Security Update : openswan (SAT Patch Number 7925) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2013-192.NASL description A buffer overflow flaw was found in Openswan. If Opportunistic Encryption were enabled ( last seen 2020-06-01 modified 2020-06-02 plugin id 69750 published 2013-09-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69750 title Amazon Linux AMI : openswan (ALAS-2013-192)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://rhn.redhat.com/errata/RHSA-2013-0827.html
- http://www.securityfocus.com/bid/59838
- https://lists.libreswan.org/pipermail/swan-announce/2013/000003.html
- https://bugzilla.redhat.com/show_bug.cgi?id=960229
- https://www.openswan.org/news/13
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00008.html
- http://www.debian.org/security/2014/dsa-2893