The following vulnerability has been reported by strongswan developers:
###
We recently started fuzzing some of our plugins using Google's OSS-Fuzz
infrastructure [1]. This lead to the discovery of several bugs. Two of
them may lead to denial-of-service attacks. One affects the gmp plugin,
the other the ASN.1 parser in combination with the x509 plugin.
# Insufficient Input Validation in gmp Plugin
RSA public keys passed to the gmp plugin aren't validated sufficiently
before attempting signature verification, so that invalid input might
lead to a floating point exception. Affected are all strongSwan
versions since 4.4.0 including the latest 5.5.2.
CVE-2017-9022 has been assigned for this vulnerability.
With strongSwan 4.4.0 the gmp plugin started to use mpz_powm_sec(), if
available, for side-channel-free exponentiation. Compared to mpz_powm()
this function has two additional requirements regarding the passed
exponent and modulus: The exponent must be larger than zero and the
modulus must be odd. If these requirements are not met the calculations
performed by libgmp will result in a floating point exception that
crashes the whole process. Until now the plugin simply replaced
mpz_powm() with mpz_powm_sec() without any additional input checks. So
a certificate with an appropriately prepared public key sent by a peer
could be used for a denial-of-service attack.
Remote code execution is not possible due to this issue.
# Incorrect Handling of CHOICE types in ASN.1 parser and x509 plugin
ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when
parsing X.509 certificates with extensions that use such types. This
could lead to infinite looping of the thread parsing a specifically
crafted certificate. Affected are all strongSwan versions including the
latest 5.5.2 (please note that patches for versions < 4.4.0 are not
provided).
CVE-2017-9023 has been assigned for this vulnerability.
Several extensions in X.509 certificates use CHOICE types to allow
exactly one of several possible sub-elements. An extension that's
defined like this, which strongSwan always supported, is
CRLDistributionPoints, where the optional distributionPoint is defined
as follows:
DistributionPointName ::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
So it may either be a GeneralName or an RDN but not both and one of them
must be present if there is a distributionPoint. So far the x509 plugin
and ASN.1 parser treated the choices simply as optional elements inside
of a loop, without enforcing that exactly one of them was parsed (or
that any of them were matched). This lead to the issue that if none of
the options were found the parser was stuck in an infinite loop. Other
extensions that are affected are ipAddrBlocks (supported since 4.3.6)
and CertificatePolicies (since 4.5.1).
A similar issue, for which no separate CVE is assigned, affects the
nameConstraints extension (supported since 4.5.1), where the x509 plugin
incorrectly defined a parsing rule with a loop, where there was none
defined, so that invalid data could lead to an infinite loop.
Remote code execution is not possible due to these issues.
# Mitigation
Since only specific plugins are affected (gmp, x509) installations that
don't have these plugins enabled and loaded are not vulnerable.
The attached patches fix the vulnerabilities in the respective
strongSwan versions and should apply with appropriate hunk offsets.
Please prepare updated releases and patch your installations, but do not
yet publicly disclose any information about this vulnerability. We want
to give you as a partner enough time to prepare new releases and will
publicly disclose the vulnerability with the strongSwan 5.5.3 release on
Tue May 30, 14:00 CEST.
As mentioned in the introduction, credit to OSS-Fuzz for finding these
vulnerabilities, and to Sven Defatsch for setting up the integration and
creating the fuzz target.
Our apologies for the inconvenience.
Kind Regards
Tobias Brunner
strongSwan Developer
[1] https://github.com/google/oss-fuzz
|
Deleted:
strongswan-5.0.0-5.5.2_asn1_choice.patch
15.8 KB
|
|
|
strongswan-5.0.0-5.5.2_asn1_choice.patch
15.8 KB
Download
|
|
|
Deleted:
strongswan-4.5.1_asn1_choice.patch
16.0 KB
|
|
|
strongswan-4.5.1_asn1_choice.patch
16.0 KB
Download
|
|
|
Deleted:
strongswan-4.6.2-4.6.4_asn1_choice.patch
16.0 KB
|
|
|
strongswan-4.6.2-4.6.4_asn1_choice.patch
16.0 KB
Download
|
|
|
Deleted:
strongswan-4.5.2-4.6.1_asn1_choice.patch
16.0 KB
|
|
|
strongswan-4.5.2-4.6.1_asn1_choice.patch
16.0 KB
Download
|
|
|
Deleted:
strongswan-4.4.0-5.5.2_gmp_mpz_powm_sec.patch
1.3 KB
|
|
|
strongswan-4.4.0-5.5.2_gmp_mpz_powm_sec.patch
1.3 KB
Download
|
|
|
Deleted:
strongswan-4.4.0-4.5.0_asn1_choice.patch
12.5 KB
|
|
|
strongswan-4.4.0-4.5.0_asn1_choice.patch
12.5 KB
Download
|
|
|
Deleted:
signature.asc
853 bytes
|
Comment 1 by cernekee@chromium.org
, May 18 2017