Vulnerabilities > CVE-2013-6466 - Remote Denial Of Service vulnerability in Openswan IKEv2 payloads
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Openswan 2.6.39 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. Per: http://cwe.mitre.org/data/definitions/476.html "CWE-476: NULL Pointer Dereference"
Vulnerable Configurations
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20140218_OPENSWAN_ON_SL5_X.NASL description A NULL pointer dereference flaw was discovered in the way Openswan last seen 2020-03-18 modified 2014-02-19 plugin id 72570 published 2014-02-19 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72570 title Scientific Linux Security Update : openswan on SL5.x, SL6.x i386/x86_64 (20140218) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(72570); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-6466"); script_name(english:"Scientific Linux Security Update : openswan on SL5.x, SL6.x i386/x86_64 (20140218)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service (daemon crash), possibly causing existing VPN connections to be dropped. (CVE-2013-6466)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1402&L=scientific-linux-errata&T=0&P=2182 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d8fc555c" ); script_set_attribute( attribute:"solution", value: "Update the affected openswan, openswan-debuginfo and / or openswan-doc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openswan"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openswan-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openswan-doc"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/26"); script_set_attribute(attribute:"patch_publication_date", value:"2014/02/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL5", reference:"openswan-2.6.32-7.3.el5_10")) flag++; if (rpm_check(release:"SL5", reference:"openswan-debuginfo-2.6.32-7.3.el5_10")) flag++; if (rpm_check(release:"SL5", reference:"openswan-doc-2.6.32-7.3.el5_10")) flag++; if (rpm_check(release:"SL6", reference:"openswan-2.6.32-27.2.el6_5")) flag++; if (rpm_check(release:"SL6", reference:"openswan-debuginfo-2.6.32-27.2.el6_5")) flag++; if (rpm_check(release:"SL6", reference:"openswan-doc-2.6.32-27.2.el6_5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openswan / openswan-debuginfo / openswan-doc"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-0185.NASL description Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. A NULL pointer dereference flaw was discovered in the way Openswan last seen 2020-06-01 modified 2020-06-02 plugin id 72561 published 2014-02-19 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72561 title CentOS 5 / 6 : openswan (CESA-2014:0185) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-0185.NASL description From Red Hat Security Advisory 2014:0185 : Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. A NULL pointer dereference flaw was discovered in the way Openswan last seen 2020-06-01 modified 2020-06-02 plugin id 72565 published 2014-02-19 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72565 title Oracle Linux 5 / 6 : openswan (ELSA-2014-0185) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0185.NASL description Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. A NULL pointer dereference flaw was discovered in the way Openswan last seen 2020-06-01 modified 2020-06-02 plugin id 72567 published 2014-02-19 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72567 title RHEL 5 / 6 : openswan (RHSA-2014:0185) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2893.NASL description Two vulnerabilities were fixed in Openswan, an IKE/IPsec implementation for Linux. - CVE-2013-2053 During an audit of Libreswan (with which Openswan shares some code), Florian Weimer found a remote buffer overflow in the atodn() function. This vulnerability can be triggered when Opportunistic Encryption (OE) is enabled and an attacker controls the PTR record of a peer IP address. Authentication is not needed to trigger the vulnerability. - CVE-2013-6466 Iustina Melinte found a vulnerability in Libreswan which also applies to the Openswan code. By carefully crafting IKEv2 packets, an attacker can make the pluto daemon dereference non-received IKEv2 payload, leading to the daemon crash. Authentication is not needed to trigger the vulnerability. Patches were originally written to fix the vulnerabilities in Libreswan, and have been ported to Openswan by Paul Wouters from the Libreswan Project. Since the Openswan package is not maintained anymore in the Debian distribution and is not available in testing and unstable suites, it is recommended for IKE/IPsec users to switch to a supported implementation like strongSwan. last seen 2020-03-17 modified 2014-04-02 plugin id 73293 published 2014-04-02 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73293 title Debian DSA-2893-1 : openswan - security update NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-303.NASL description A NULL pointer dereference flaw was discovered in the way Openswan last seen 2020-06-01 modified 2020-06-02 plugin id 72951 published 2014-03-12 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72951 title Amazon Linux AMI : openswan (ALAS-2014-303) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201411-07.NASL description The remote host is affected by the vulnerability described in GLSA-201411-07 (Openswan: Denial of Service) A NULL pointer dereference has been found in Openswan. Impact : A remote attacker could create a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 79415 published 2014-11-24 reporter This script is Copyright (C) 2014-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79415 title GLSA-201411-07 : Openswan: Denial of Service
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 65155 CVE(CAN) ID: CVE-2013-6466 Openswan是一款Linux系统下的IPSEC实现,基于FreeS/WAN项目。 Openswan 2.6.39及之前版本在实现上存在远程拒绝服务漏洞,攻击者通过畸形的IKEv2数据包,利用此漏洞可造成应用重启,导致拒绝服务。 0 Openswan Openswan <= 2.6.39 厂商补丁: Openswan -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.openswan.org/ https://libreswan.org/security/CVE-2013-6467/CVE-2013-6467.txt |
| id | SSV:61495 |
| last seen | 2017-11-19 |
| modified | 2014-02-20 |
| published | 2014-02-20 |
| reporter | Root |
| title | Openswan IKEv2负载远程拒绝服务漏洞 |
References
- http://rhn.redhat.com/errata/RHSA-2014-0185.html
- http://www.debian.org/security/2014/dsa-2893
- http://www.securityfocus.com/bid/65155
- https://cert.vde.com/en-us/advisories/vde-2017-001
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90524
- https://libreswan.org/security/CVE-2013-6467/CVE-2013-6467.txt