Vulnerabilities > CVE-2018-6459 - Improper Verification of Cryptographic Signature vulnerability in Strongswan 5.6.1

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
LOW
network
low complexity
strongswan
CWE-347
nessus

Summary

The rsa_pss_params_parse function in libstrongswan/credentials/keys/signature_params.c in strongSwan 5.6.1 allows remote attackers to cause a denial of service via a crafted RSASSA-PSS signature that lacks a mask generation function parameter.

Vulnerable Configurations

Part Description Count
Application
Strongswan
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Padding Oracle Crypto Attack
    An attacker is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an attacker is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an attacker is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key. Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the attacker. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies). This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the attacker whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the attacker to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack). This attack can be launched cross domain where an attacker is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating. To do so an attacker sends a request containing ciphertext to the target system. Due to the browser's same origin policy, the attacker is not able to see the response directly, but can use cross-domain information leak techniques to still get the information needed (i.e., information on whether or not a padding error has occurred). For instance, this can be done using "img" tag plus the onerror()/onload() events. The attacker's JavaScript can make web browsers to load an image on the target site, and know if the image is loaded or not. This is 1-bit information needed for the padding oracle attack to work: if the image is loaded, then it is valid padding, otherwise it is not.

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6A449A37157011E88E00000C294A5758.NASL
    descriptionStrongswan Release Notes reports : Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient input validation. One of the configurable parameters in algorithm identifier structures for RSASSA-PSS signatures is the mask generation function (MGF). Only MGF1 is currently specified for this purpose. However, this in turn takes itself a parameter that specifies the underlying hash function. strongSwan
    last seen2020-06-01
    modified2020-06-02
    plugin id107111
    published2018-03-02
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107111
    titleFreeBSD : strongswan - Insufficient input validation in RSASSA-PSS signature parser (6a449a37-1570-11e8-8e00-000c294a5758)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(107111);
      script_version("3.4");
      script_cvs_date("Date: 2018/11/10 11:49:47");
    
      script_cve_id("CVE-2018-6459");
    
      script_name(english:"FreeBSD : strongswan - Insufficient input validation in RSASSA-PSS signature parser (6a449a37-1570-11e8-8e00-000c294a5758)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Strongswan Release Notes reports :
    
    Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
    signatures that was caused by insufficient input validation. One of
    the configurable parameters in algorithm identifier structures for
    RSASSA-PSS signatures is the mask generation function (MGF). Only MGF1
    is currently specified for this purpose. However, this in turn takes
    itself a parameter that specifies the underlying hash function.
    strongSwan's parser did not correctly handle the case of this
    parameter being absent, causing an undefined data read. his
    vulnerability has been registered as CVE-2018-6459."
      );
      # https://github.com/strongswan/strongswan/commit/40da179f28b768ffcf6ff7e2f68675eb44806668
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?abbd5042"
      );
      # https://vuxml.freebsd.org/freebsd/6a449a37-1570-11e8-8e00-000c294a5758.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4c134768"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:strongswan");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"strongswan=5.6.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0743-1.NASL
    descriptionThis update for strongswan fixes the following issues : Strongswan was updated to version 5.8.2 (jsc#SLE-11370). Security issue fixed : CVE-2018-6459: Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient input validation (bsc#1079548). Full changelogs : Version 5.8.2 - Identity-based CA constraints, which enforce that the certificate chain of the remote peer contains a CA certificate with a specific identity, are supported via vici/swanctl.conf. This is similar to the existing CA constraints but doesn
    last seen2020-03-26
    modified2020-03-24
    plugin id134852
    published2020-03-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134852
    titleSUSE SLED15 / SLES15 Security Update : strongswan (SUSE-SU-2020:0743-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2020:0743-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134852);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/25");
    
      script_cve_id("CVE-2018-10811", "CVE-2018-16151", "CVE-2018-16152", "CVE-2018-17540", "CVE-2018-5388", "CVE-2018-6459");
    
      script_name(english:"SUSE SLED15 / SLES15 Security Update : strongswan (SUSE-SU-2020:0743-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for strongswan fixes the following issues :
    
    Strongswan was updated to version 5.8.2 (jsc#SLE-11370).
    
    Security issue fixed :
    
    CVE-2018-6459: Fixed a DoS vulnerability in the parser for PKCS#1
    RSASSA-PSS signatures that was caused by insufficient input validation
    (bsc#1079548).
    
    Full changelogs :
    
    Version 5.8.2
    
      - Identity-based CA constraints, which enforce that the
        certificate chain of the remote peer contains a CA
        certificate with a specific identity, are supported via
        vici/swanctl.conf. This is similar to the existing CA
        constraints but doesn't require that the CA certificate
        is locally installed, for instance, intermediate CA
        certificates received from the peers. Wildcard identity
        matching (e.g. ..., OU=Research, CN=*) could also be
        used for the latter but requires trust in the
        intermediate CAs to only issue certificates with
        legitimate subject DNs (e.g. the 'Sales' CA must not
        issue certificates with OU=Research). With the new
        constraint that's not necessary as long as a path length
        basic constraint (--pathlen for pki --issue) prevents
        intermediate CAs from issuing further intermediate CAs.
    
      - Intermediate CA certificates may now be sent in
        hash-and-URL encoding by configuring a base URL for the
        parent CA (#3234, swanctl/rw-hash-and-url-multi-level).
    
      - Implemented NIST SP-800-90A Deterministic Random Bit
        Generator (DRBG) based on AES-CTR and SHA2-HMAC modes.
        Currently used by the gmp and ntru plugins.
    
      - Random nonces sent in an OCSP requests are now expected
        in the corresponding OCSP responses.
    
      - The kernel-netlink plugin now ignores deprecated IPv6
        addresses for MOBIKE. Whether temporary or permanent
        IPv6 addresses are included now depends on the
        charon.prefer_temporary_addrs setting (#3192).
    
      - Extended Sequence Numbers (ESN) are configured via
        PF_KEY if supported by the kernel.
    
      - The PF_KEY socket's receive buffer in the kernel-pfkey
        plugin is now cleared before sending requests, as many
        of the messages sent by the kernel are sent as
        broadcasts to all PF_KEY sockets. This is an issue if an
        external tool is used to manage SAs/policies unrelated
        to IPsec (#3225).
    
      - The vici plugin now uses unique section names for
        CHILD_SAs in child-updown events (7c74ce9190).
    
      - For individually deleted CHILD_SAs (in particular for
        IKEv1) the vici child-updown event now includes more
        information about the CHILD_SAs such as traffic
        statistics (#3198).
    
      - Custom loggers are correctly re-registered if log levels
        are changed via stroke loglevel (#3182).
    
      - Avoid lockups during startup on low entropy systems when
        using OpenSSL 1.1.1 (095a2c2eac).
    
      - Instead of failing later when setting a key, creating
        HMACs via openssl plugin now fails instantly if the
        underlying hash algorithm isn't supported (e.g. MD5 in
        FIPS-mode) so fallbacks to other plugins work properly
        (#3284).
    
      - Exponents of RSA keys read from TPM 2.0 via SAPI are
        correctly converted (8ee1242f1438).
    
      - Routing table IDs > 255 are supported for custom routes
        on Linux.
    
      - To avoid races, the check for hardware offloading
        support in the kernel-netlink plugin is performed during
        initialization of the plugin (a605452c03).
    
      - The D-Bus config file for charon-nm is now installed in
        $(datadir)/dbus-1/system.d instead of
        $(sysconfdir)/dbus-1/system.d, which is intended for
        sysadmin overrides. INVALID_MAJOR_VERSION notifies are
        now correctly sent in messages of the same exchange type
        and with the same message ID as the request.
    
      - IKEv2 SAs are now immediately destroyed when sending or
        receiving INVALID_SYNTAX notifies in authenticated
        messages.
    
      - For developers working from the repository the configure
        script now aborts if GNU gperf is not found.
    
    Version 5.8.1
    
      - RDNs in DNs of X.509 certificates can now optionally be
        matched less strict. The global strongswan.conf option
        charon.rdn_matching takes two alternative values that
        cause the matching algorithm to either ignore the order
        of matched RDNs (reordered) or additionally (relaxed)
        accept DNs that contain more RDNs than configured
        (unmatched RDNs are treated like wildcard matches).
    
      - The updown plugin now passes the same interface to the
        script that is also used for the automatically installed
        routes, that is, the interface over which the peer is
        reached instead of the interface on which the local
        address is found (#3095).
    
      - TPM 2.0 contexts are now protected by a mutex to prevent
        issues if multiple IKE_SAs use the same private key
        concurrently (4b25885025).
    
      - Do a rekey check after the third QM message was received
        (#3060).
    
      - If available, explicit_bzero() is now used as memwipe()
        instead of our own implementation.
    
      - An .editorconfig file has been added, mainly so Github
        shows files with proper indentation (68346b6962).
    
      - The internal certificate of the load-tester plugin has
        been modified so it can again be used as end-entity cert
        with 5.6.3 and later (#3139).
    
      - The maximum data length of received COOKIE notifies (64
        bytes) is now enforced (#3160).
    
    Version 5.8.0
    
      - The systemd service units have been renamed. The modern
        unit, which was called strongswan-swanctl, is now called
        strongswan (the previous name is configured as alias in
        the unit, for which a symlink is created when the unit
        is enabled). The legacy unit is now called
        strongswan-starter.
    
      - Support for XFRM interfaces (available since Linux 4.19)
        has been added, which are intended to replace VTI
        devices (they are similar but offer several advantages,
        for instance, they are not bound to an address or
        address family).
    
      - IPsec SAs and policies are associated with such
        interfaces via interface IDs that can be configured in
        swanctl.conf (dynamic IDs may optionally be allocated
        for each SA and even direction). It's possible to use
        separate interfaces for in- and outbound traffic (or
        only use an interface in one direction and regular
        policies in the other).
    
      - Interfaces may be created dynamically via updown/vici
        scripts, or statically before or after establishing the
        SAs. Routes must be added manually as needed (the daemon
        will not install any routes for outbound policies with
        an interface ID).
    
      - When moving XFRM interfaces to other network namespaces
        they retain access to the SAs and policies installed in
        the original namespace, which allows providing IPsec
        tunnels for processes in other network namespaces
        without giving them access to the IPsec keys or IKE
        credentials. More information can be found on the page
        about route-based VPNs.
    
      - Initiation of childless IKE_SAs is supported (RFC 6023).
        If enabled and supported by the responder, no CHILD_SA
        is established during IKE_AUTH. Instead, all CHILD_SAs
        are created with CREATE_CHILD_SA exchanges. This allows
        using a separate DH exchange even for the first
        CHILD_SA, which is otherwise created during IKE_AUTH
        with keys derived from the IKE_SA's key material.
    
      - The swanctl --initiate command may be used to initiate
        only the IKE_SA via --ike option if --child is omitted
        and the peer supports this extension.
    
      - The NetworkManager backend and plugin support IPv6.
    
      - The new wolfssl plugin is a wrapper around the wolfSSL
        crypto library. Thanks to Sean Parkinson of wolfSSL Inc.
        for the initial patch.
    
      - IKE SPIs may optionally be labeled via the
        charon.spi_mask|label options in strongswan.conf. This
        feature was extracted from charon-tkm, however, now
        applies the mask/label in network order.
    
      - The openssl plugin supports ChaCha20-Poly1305 when built
        with OpenSSL 1.1.0.
    
      - The PB-TNC finite state machine according to section 3.2
        of RFC 5793 was not correctly implemented when sending
        either a CRETRY or SRETRY batch. These batches can only
        be sent in the 'Decided' state and a CRETRY batch can
        immediately carry all messages usually transported by a
        CDATA batch. It is currently not possible to send a
        SRETRY batch since full-duplex mode for PT-TLS transport
        is not supported.
    
      - Instead of marking IPv6 virtual IPs as deprecated, the
        kernel-netlink plugin now uses address labels to avoid
        that such addresses are used for non-VPN traffic
        (00a953d090).
    
      - The agent plugin now creates sockets to the
        ssh/gpg-agent dynamically and does not keep them open,
        which otherwise might prevent the agent from getting
        terminated.
    
      - To avoid broadcast loops the forecast plugin now only
        reinjects packets that are marked or received from the
        configured interface.
    
      - UTF-8 encoded passwords are supported via EAP-MSCHAPv2,
        which internally uses an UTF-16LE encoding to calculate
        the NT hash (#3014).
    
      - Properly delete temporary drop policies (used when
        updating IP addresses of SAs) if manual priorities are
        used, which was broken since 5.6.2 (8e31d65730).
    
      - Avoid overwriting start_action when parsing the
        inactivity timeout in the vici plugin (#2954).
    
      - Fixed the automatic termination of reloaded vici
        connections with start_action=start, which was broken
        since 5.6.3 (71b22c250f).
    
      - The lookup for shared secrets for IKEv1 SAs via sql
        plugin should now work better (6ec9f68f32).
    
      - Fixed a race condition in the trap manager between
        installation and removal of a policy (69cbe2ca3f).
    
      - The IPsec stack detection and module loading in starter
        has been removed (it wasn't enforced anyway and loading
        modules doesn't seem necessary, also KLIPS hasn't been
        supported for a long time and PF_KEY will eventually be
        removed from the Linux kernel, ba817d2917).
    
      - Several IKEv2 protocol details are now handled more
        strictly: Unrequested virtual IPs are ignored, CFG_REPLY
        payloads are ignored if no CFG_REQUEST payloads were
        sent, a USE TRANSPORT_MODE notify received from the
        responder is checked against the local configuration.
    
      - The keys and certificates used by the scenarios in the
        testing environment are now generated dynamically.
        Running the testing/scripts/build-certs script after
        creating the base and root images uses the pki utility
        installed in the latter to create the keys and
        certificates for all the CAs and in some cases for
        individual scenarios. These credentials are stored in
        the source tree, not the image, so this has to be called
        only once even if the images are later rebuilt. The
        script automatically (re-)rebuilds the guest images as
        that generates fresh CRLs and signs the DNS zones. The
        only keys/certificates currently not generated are the
        very large ones used by the ikev2/rw-eap-tls-fragments
        scenario.
    
    Version 5.7.2
    
      - For RSA with PSS padding, the TPM 2.0 specification
        mandates the maximum salt length (as defined by the
        length of the key and hash). However, if the TPM is
        FIPS-168-4 compliant, the salt length equals the hash
        length. This is assumed for FIPS-140-2 compliant TPMs,
        but if that's not the case, it might be necessary to
        manually enable charon.plugins.tpm.fips_186_4 if the TPM
        doesn't use the maximum salt length.
    
      - Directories for credentials loaded by swanctl are now
        accessed relative to the loaded swanctl.conf file, in
        particular, when loading it from a custom location via
        --file argument.
    
      - The base directory, which is used if no custom location
        for swanctl.conf is specified, is now also configurable
        at runtime via SWANCTL_DIR environment variable.
    
      - If RADIUS Accounting is enabled, the eap-radius plugin
        will add the session ID (Acct-Session-Id) to
        Access-Request messages, which e.g. simplifies
        associating database entries for IP leases and
        accounting with sessions (the session ID does not change
        when IKE_SAs are rekeyed, #2853).
    
      - All IP addresses assigned by a RADIUS server are
        included in Accounting-Stop messages even if the client
        did not claim them, allowing to release them early in
        case of connection errors (#2856).
    
      - Selectors installed on transport mode SAs by the
        kernel-netlink plugin are now updated if an IP address
        changes (e.g. via MOBIKE) and it was part of the
        selectors.
    
      - No deletes are sent anymore when a rekeyed CHILD_SA
        expires (#2815).
    
      - The bypass-lan plugin now tracks interfaces to handle
        subnets that move from one interface to another and
        properly update associated routes (#2820).
    
      - Only valid and expected inbound IKEv2 messages are used
        to update the timestamp of the last received message
        (previously, retransmits also triggered an update).
    
      - IKEv2 requests from responders are now ignored until the
        IKE_SA is fully established (e.g. if a DPD request from
        the peer arrives before the IKE_AUTH response does,
        46bea1add9). Delayed IKE_SA_INIT responses with COOKIE
        notifies we already recevied are ignored, they caused
        another reset of the IKE_SA previously (#2837).
    
      - Active and queued Quick Mode tasks are now adopted if
        the peer reauthenticates an IKEv1 SA while creating lots
        of CHILD_SAs.
    
      - Newer versions of the FreeBSD kernel add an
        SADB_X_EXT_SA2 extension to SADB_ACQUIRE messages, which
        allows the kernel-pfkey plugin to determine the reqid of
        the policy even if it wasn't installed by the daemon
        previously (e.g. when using FreeBSD's if_ipsec(4) VTIs,
        which install policies themselves, 872b9b3e8d).
    
      - Added support for RSA signatures with SHA-256 and
        SHA-512 to the agent plugin. For older versions of
        ssh/gpg-agent that only support SHA-1, IKEv2 signature
        authentication has to be disabled via
        charon.signature_authentication.
    
      - The sshkey and agent plugins support Ed25519/Ed448 SSH
        keys and signatures.
    
      - The openssl plugin supports X25519/X448 Diffie-Hellman
        and Ed25519/Ed448 keys and signatures when built against
        OpenSSL 1.1.1.
    
      - Support for Ed25519, ChaCha20/Poly1305, SHA-3 and
        AES-CCM were added to the botan plugin.
    
      - The mysql plugin now properly handles database
        connections with transactions under heavy load (#2779).
    
      - IP addresses in ha pools are now distributed evenly
        among all segments (#2828).
    
      - Private key implementations may optionally provide a
        list of supported signature schemes, which, as described
        above, is used by the tpm plugin because for each key on
        a TPM 2.0 the hash algorithm and for RSA also the
        padding scheme is predefined.
    
      - The testing environment is now based on Debian 9
        (stretch) by default. This required some changes, in
        particular, updating to FreeRADIUS 3.x (which forced us
        to abandon the TNC@FHH patches and scenarios,
        2fbe44bef3) and removing FIPS-enabled versions of
        OpenSSL (the FIPS module only supports OpenSSL 1.0.2).
    
      - Most test scenarios were migrated to swanctl.
    
    Version 5.7.1
    
      - Fixes a vulnerability in the gmp plugin triggered by
        crafted certificates with RSA keys with very small
        moduli. When verifying signatures with such keys, the
        code patched with the fix for CVE-2018-16151/2 caused an
        integer underflow and subsequent heap buffer overflow
        that results in a crash of the daemon.
    
      - The vulnerability has been registered as CVE-2018-17540.
    
    Version 5.7.0
    
      - Fixes a potential authorization bypass vulnerability in
        the gmp plugin that was caused by a too lenient
        verification of PKCS#1 v1.5 signatures. Several flaws
        could be exploited by a Bleichenbacher-style attack to
        forge signatures for low-exponent keys (i.e. with e=3).
    
      - CVE-2018-16151 has been assigned to the problem of
        accepting random bytes after the OID of the hash
        function in such signatures, and CVE-2018-16152 has been
        assigned to the issue of not verifying that the
        parameters in the ASN.1 algorithmIdentitifer structure
        is empty. Other flaws that don't lead to a vulnerability
        directly (e.g. not checking for at least 8 bytes of
        padding) have no separate CVE assigned.
    
      - Dots are not allowed anymore in section names in
        swanctl.conf and strongswan.conf. This mainly affects
        the configuration of file loggers. If the path for such
        a log file contains dots it now has to be configured in
        the new path setting within the arbitrarily renamed
        subsection in the filelog section.
    
      - Sections in swanctl.conf and strongswan.conf may now
        reference other sections. All settings and subsections
        from such a section are inherited. This allows to
        simplify configs as redundant information has only to be
        specified once and may then be included in other
        sections (see strongswan.conf for an example).
    
      - The originally selected IKE config (based on the IPs and
        IKE version) can now change if no matching algorithm
        proposal is found. This way the order of the configs
        doesn't matter that much anymore and it's easily
        possible to specify separate configs for clients that
        require weaker algorithms (instead of having to also add
        them in other configs that might be selected).
    
      - Support for Postquantum Preshared Keys for IKEv2
        (draft-ietf-ipsecme-qr-ikev2) has been added. For an
        example refer to the swanctl/rw-cert-ppk scenario (or
        with EAP, or PSK authentication).
    
      - The new botan plugin is a wrapper around the Botan C++
        crypto library. It requires a fairly recent build from
        Botan's master branch (or the upcoming 2.8.0 release).
        Thanks to René Korthaus and
        his team from Rohde & Schwarz Cybersecurity for the
        initial patch and to Jack Lloyd for quickly adding
        missing functions to Botan's FFI (C89) interface.
    
      - Implementation of RFC 8412 'Software Inventory Message
        and Attributes (SWIMA) for PA-TNC'.
    
      - SWIMA subscription option sets CLOSE_WRITE trigger on
        apt history.log file resulting in a ClientRetry PB-TNC
        batch to initialize a new measurement cycle. The new
        imv/imc-swima plugins replace the previous imv/imc-swid
        plugins, which were removed.
    
      - Added support for fuzzing the PA-TNC (RFC 5792) and
        PB-TNC (RFC 5793) NEA protocols on Google's OSS-Fuzz
        infrastructure.
    
      - Support for version 2 of Intel's TPM2-TSS TGC Software
        Stack. The presence of the in-kernel /dev/tpmrm0
        resource manager is automatically detected.
    
      - The pki tool accepts a xmppAddr otherName as a
        subjectAlternativeName using the syntax --san
        xmppaddr:<jid>.
    
      - swanctl.conf supports the configuration of marks the in-
        and/or outbound SA should apply to packets after
        processing on Linux. Configuring such a mark for
        outbound SAs requires at least a 4.14 kernel. The
        ability to set a mask and configuring a mark/mask for
        inbound SAs will be added with the upcoming 4.19 kernel.
    
      - New options in swanctl.conf allow configuring
        how/whether DF, ECN and DS fields in the IP headers are
        copied during IPsec processing. Controlling this is
        currently only possible on Linux.
    
      - The handling of sequence numbers in IKEv1 DPDs has been
        improved (#2714).
    
      - To avoid conflicts, the dhcp plugin now only uses the
        DHCP server port if explicitly configured.
    
    Version 5.6.3
    
      - Fixed a DoS vulnerability in the IKEv2 key derivation if
        the openssl plugin is used in FIPS mode and HMAC-MD5 is
        negotiated as PRF. This vulnerability has been
        registered as CVE-2018-10811.
    
      - Fixed a vulnerability in the stroke plugin, which did
        not check the received length before reading a message
        from the socket. Unless a group is configured, root
        privileges are required to access that socket, so in the
        default configuration this shouldn't be an issue. This
        vulnerability has been registered as CVE-2018-5388.
    
      - CRLs that are not yet valid are now ignored to avoid
        problems in scenarios where expired certificates are
        removed from new CRLs and the clock on the host doing
        the revocation check is trailing behind that of the host
        issuing CRLs. Not doing this could result in accepting a
        revoked and expired certificate, if it's still valid
        according to the trailing clock but not contained
        anymore in not yet valid CRLs.
    
      - The issuer of fetched CRLs is now compared to the issuer
        of the checked certificate (#2608).
    
      - CRL validation results other than revocation (e.g. a
        skipped check because the CRL couldn't be fetched) are
        now stored also for intermediate CA certificates and not
        only for end-entity certificates, so a strict CRL policy
        can be enforced in such cases.
    
      - In compliance with RFC 4945, section 5.1.3.2,
        certificates used for IKE must now either not contain a
        keyUsage extension (like the ones generated by pki), or
        have at least one of the digitalSignature or
        nonRepudiation bits set.
    
      - New options for vici/swanctl allow forcing the local
        termination of an IKE_SA. This might be useful in
        situations where it's known the other end is not
        reachable anymore, or that it already removed the
        IKE_SA, so retransmitting a DELETE and waiting for a
        response would be pointless.
    
      - Waiting only a certain amount of time for a response
        (i.e. shorter than all retransmits would be) before
        destroying the IKE_SA is also possible by additionally
        specifying a timeout in the forced termination request.
    
      - When removing routes, the kernel-netlink plugin now
        checks if it tracks other routes for the same
        destination and replaces the installed route instead of
        just removing it. Same during installation, where
        existing routes previously weren't replaced. This should
        allow using traps with virtual IPs on Linux (#2162).
    
      - The dhcp plugin now only sends the client identifier
        DHCP option if the identity_lease setting is enabled
        (7b660944b6). It can also send identities of up to 255
        bytes length, instead of the previous 64 bytes
        (30e886fe3b, 0e5b94d038). If a server address is
        configured, DHCP requests are now sent from port 67
        instead of 68 to avoid ICMP port unreachables
        (becf027cd9).
    
      - The handling of faulty INVALID_KE_PAYLOAD notifies (e.g.
        one containing a DH group that wasn't proposed) during
        CREATE_CHILD_SA exchanges has been improved (#2536).
    
      - Roam events are now completely ignored for IKEv1 SAs
        (there is no MOBIKE to handle such changes properly).
    
      - ChaCha20/Poly1305 is now correctly proposed without key
        length (#2614). For compatibility with older releases
        the chacha20poly1305compat keyword may be included in
        proposals to also propose the algorithm with a key
        length (c58434aeff).
    
      - Configuration of hardware offload of IPsec SAs is now
        more flexible and allows a new setting (auto), which
        automatically uses it if the kernel and device both
        support it. If hw offload is set to yes and offloading
        is not supported, the CHILD_SA installation now fails.
    
      - The kernel-pfkey plugin optionally installs routes via
        internal interface (one with an IP in the local traffic
        selector). On FreeBSD, enabling this selects the correct
        source IP when sending packets from the gateway itself
        (e811659323).
    
      - SHA-2 based PRFs are supported in PKCS#8 files as
        generated by OpenSSL 1.1 (#2574).
    
      - The pki --verify tool may load CA certificates and CRLs
        from directories.
    
      - The IKE daemon now also switches to port 4500 if the
        remote port is not 500 (e.g. because the remote maps the
        response to a different port, as might happen on Azure),
        as long as the local port is 500 (85bfab621d).
    
      - Fixed an issue with DNS servers passed to NetworkManager
        in charon-nm (ee8c25516a).
    
      - Logged traffic selectors now always contain the protocol
        if either protocol or port are set (a36d8097ed).
    
      - Only the inbound SA/policy will be updated as reaction
        to IP address changes for rekeyed CHILD_SAs that are
        kept around.
    
      - The parser for strongswan.conf/swanctl.conf now accepts
        = characters in values without having to put the value
        in quotes (e.g. for Base64 encoded shared secrets).
    
        Notes for developers :
    
      - trap_manager_t: Trap policies are now unistalled by
        peer/child name and not the reqid.
    
      - No reqid is returned anymore when installing trap
        policies.
    
      - child_sa_t: A new state (CHILD_DELETED) is used for
        CHILD_SAs that have been deleted but not yet destroyed
        (after a rekeying CHILD_SAs are kept around for a while
        to process delayed packets). This way child_updown
        events are not triggered anymore for such SAs when an
        IKE_SA that has such CHILD_SAs assigned is deleted.
    
    Version 5.6.2
    
      - Fixed a DoS vulnerability in the parser for PKCS#1
        RSASSA-PSS signatures that was caused by insufficient
        input validation. One of the configurable parameters in
        algorithm identifier structures for RSASSA-PSS
        signatures is the mask generation function (MGF). Only
        MGF1 is currently specified for this purpose. However,
        this in turn takes itself a parameter that specifies the
        underlying hash function. strongSwan's parser did not
        correctly handle the case of this parameter being
        absent, causing an undefined data read. This
        vulnerability has been registered as CVE-2018-6459.
    
      - When rekeying IKEv2 IKE_SAs the previously negotiated DH
        group will be reused, instead of using the first
        configured group, which avoids an additional exchange if
        the peer previously selected a different DH group via
        INVALID_KE_PAYLOAD notify. The same is also done when
        rekeying CHILD_SAs except for the first rekeying of the
        CHILD_SA that was created with the IKE_SA, where no DH
        group was negotiated yet. Also, the selected DH group is
        moved to the front in all sent proposals that contain it
        and all proposals that don't are moved to the back in
        order to convey the preference for this group to the
        peer.
    
      - Handling of MOBIKE task queuing has been improved. In
        particular, the response to an address update (with
        NAT-D payloads) is not ignored anymore if only an
        address list update or DPD is queued as that could
        prevent updating the UDP encapsulation in the kernel.
    
      - On Linux, roam events may optionally be triggered by
        changes to the routing rules, which can be useful if
        routing rules (instead of e.g. route metrics) are used
        to switch from one to another interface (i.e. from one
        to another routing table). Since routing rules are
        currently not evaluated when doing route lookups this is
        only useful if the kernel-based route lookup is used
        (4664992f7d).
    
      - The fallback drop policies installed to avoid traffic
        leaks when replacing addresses in installed policies are
        now replaced by temporary drop policies, which also
        prevent acquires because we currently delete and
        reinstall IPsec SAs to update their addresses
        (35ef1b032d).
    
      - Access X.509 certificates held in non-volatile storage
        of a TPM 2.0 referenced via the NV index. Adding the
        --keyid parameter to pki
    
        --print allows to print private keys or certificates
        stored in a smartcard or a TPM 2.0.
    
      - Fixed proposal selection if a peer incorrectly sends DH
        groups in the ESP proposal during IKE_AUTH and also if a
        DH group is configured in the local ESP proposal and
        charon.prefer configured_proposals is disabled
        (d058fd3c32).
    
      - The lookup for PSK secrets for IKEv1 has been improved
        for certain scenarios (see #2497 for details).
    
      - MSKs received via RADIUS are now padded to 64 bytes to
        avoid compatibility issues with EAP-MSCHAPv2 and PRFs
        that have a block size Version 5.6.1
    
      - Several algorithms were removed from the default ESP/AH
        and IKE proposals in compliance with RFC 8221 and RFC
        8247, respectively. Removed from the default ESP/AH
        proposal were the 3DES and Blowfish encryption
        algorithms and the HMAC-MD5 integrity algorithm. From
        the IKE default proposal the HMAC-MD5 integrity
        algorithm and the MODP-1024 Diffie-Hellman group were
        removed (the latter is significant for Windows clients
        in their default configuration). These algorithms may
        still be used in custom proposals.
    
      - Support for RSASSA-PSS signatures has been added. For
        compatibility with previous releases they are currently
        not used automatically, by default, to change that
        charon.rsa_pss may be enabled. To explicitly use or
        require such signatures during IKEv2 signature
        authentication (RFC 7427) ike:rsa/pss... authentication
        constraints may be used for specific connections
        (regardless of whether the strongswan.conf option above
        is enabled). Only the hash algorithm can be specified in
        such constraints, the MGF1 will be based on that hash
        and the salt length will equal the hash length (when
        verifying the salt length is not enforced). To enforce
        such signatures during PKI verification use rsa/pss...
        authentication constraints.
    
      - All pki commands that create certificates/CRLs can be
        made to sign with RSASSA-PSS instead of the classing
        PKCS#1 scheme with the --rsa-padding pss option. As with
        signatures during authentication, only the hash
        algorithm is configurable (via --digest option), the
        MGF1 will be based on that and the salt length will
        equal the hash length.
    
      - These signatures are supported by all RSA backends
        except pkcs11 (i.e. gmp, gcrypt, openssl). The gmp
        plugin requires the mgf1 plugin. Note that RSASSA-PSS
        algorithm identifiers and parameters in keys (public
        keys in certificates or private keys in PKCS#8 files)
        are currently not used as constraints.
    
      - The sec-updater tool checks for security updates in
        dpkg-based repositories (e.g. Debian/Ubuntu) and sets
        the security flags in the IMV policy database
        accordingly. Additionally for each new package version a
        SWID tag for the given OS and HW architecture is created
        and stored in the database.
    
      - Using the sec-updater.sh script template the lookup can
        be automated (e.g. via an hourly cron job).
    
      - When restarting an IKEv2 negotiation after receiving an
        INVALID_KE_PAYLOAD notify (or due to other reasons like
        too many retransmits) a new initiator SPI is allocated.
        This prevents issues caused by retransmits for
        IKE_SA_INIT messages.
    
      - Because the initiator SPI was previously reused when
        restarting the connection delayed responses for previous
        connection attempts were processed and might have caused
        fatal errors due to a failed DH negotiation or because
        of the internal retry counter in the ike-init task. For
        instance, if we proposed a DH group the responder
        rejected we might have later received delayed responses
        that either contained INVALID_KE_PAYLOAD notifies with
        the DH group we already switched to, or, if we
        retransmitted an IKE_SA_INIT with the requested group
        but then had to restart again, a KE payload with a group
        different from the one we proposed.
    
      - The introduction of file versions in the IMV database
        scheme broke file reference hash measurements. This has
        been fixed by creating generic product versions having
        an empty package name.
    
      - A new timeout option for the systime-fix plugin stops
        periodic system time checks after a while and enforces a
        certificate verification, closing or reauthenticating
        all SAs with invalid certificates.
    
      - The IKE event counters, previously only available via
        ipsec listcounters command, may now also be queried and
        reset via vici and the new swanctl --counters command.
        They are collected and provided by the optional counters
        plugin (enabled by default for backwards compatibility
        if the stroke plugin is built).
    
      - Class attributes received in RADIUS Access-Accept
        messages may optionally be added to RADIUS accounting
        messages (655924074b).
    
      - Basic support for systemd sockets has been added, which
        may be used for privilege separation (59db98fb94).
    
      - Inbound marks may optionally be installed in the SA
        again (was removed with 5.5.2) by enabling the
        mark_in_sa option in swanctl.conf.
    
      - The timeout of leases in pools configured via pool
        utility may be configured in other units than hours.
        INITIAL_CONTACT notifies are now only omitted if never
        is configured as uniqueness policy.
    
      - Outbound FWD policies for shunts are not installed
        anymore, by default (as is the case for other policies
        since 5.5.1).
    
      - Don't consider a DH group mismatch during CHILD_SA
        rekeying as failure as responder (e7276f78aa).
    
      - Handling of fragmented IPv4 and IPv6 packets in libipsec
        has been improved (e138003de9).
    
      - Trigger expire events for the correct IPsec SA in
        libipsec (6e861947a0).
    
      - A crash in CRL verification via openssl plugin using
        OpenSSL 1.1 has been fixed (78acaba6a1).
    
      - No hard-coded default proposals are passed from starter
        to the stroke plugin anymore (the IKE proposal used
        curve25519 since 5.5.2, which is an optional plugin).
    
      - A workaround for an issue with virtual IPs on macOS
        10.13 (High Sierra) has been added (039b85dd43).
    
      - Handling of IKE_SA rekey collisions in charon-tkm has
        been fixed.
    
      - Instead of failing or just silently doing nothing unit
        tests may now warn about certain conditions (e.g. if a
        test was not executed due to external dependencies).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079548"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-6459/"
      );
      # https://www.suse.com/support/update/announcement/2020/suse-su-20200743-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?219eb741"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Module for Open Buildservice Development Tools
    15-SP1:zypper in -t patch
    SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-743=1
    
    SUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch
    SUSE-SLE-Module-Basesystem-15-SP1-2020-743=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16152");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-hmac");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-ipsec");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-ipsec-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-libs0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-libs0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-mysql-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-nm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-nm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-sqlite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:strongswan-sqlite-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP1", os_ver + " SP" + sp);
    if (os_ver == "SLED15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP1", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-debugsource-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-mysql-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-mysql-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-nm-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-nm-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-sqlite-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-sqlite-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-debugsource-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-hmac-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-ipsec-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-ipsec-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-libs0-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"strongswan-libs0-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-debugsource-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-mysql-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-mysql-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-nm-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-nm-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-sqlite-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-sqlite-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-debugsource-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-hmac-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-ipsec-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-ipsec-debuginfo-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-libs0-5.8.2-4.6.14")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"strongswan-libs0-debuginfo-5.8.2-4.6.14")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "strongswan");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-403.NASL
    descriptionThis update for strongswan fixes the following issues : Strongswan was updated to version 5.8.2 (jsc#SLE-11370). Security issue fixed : - CVE-2018-6459: Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient input validation (bsc#1079548). Full changelogs : Version 5.8.2 - Identity-based CA constraints, which enforce that the certificate chain of the remote peer contains a CA certificate with a specific identity, are supported via vici/swanctl.conf. This is similar to the existing CA constraints but doesn
    last seen2020-04-04
    modified2020-03-30
    plugin id135007
    published2020-03-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135007
    titleopenSUSE Security Update : strongswan (openSUSE-2020-403)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201811-16.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201811-16 (strongSwan: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in strongSwan. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could cause a Denial of Service condition or impersonate a user. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id119161
    published2018-11-27
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119161
    titleGLSA-201811-16 : strongSwan: Multiple vulnerabilities