IPsec implementations verify_x509cert bypass authentication
| ipsec-verifyx509cert-auth-bypass (16515) |  Medium Risk |
Description:
Multiple open-source implementations of Ipsec could allow a remote attacker to bypass authentication, caused by improper handling of certificates by the verify_x509cert function. A remote attacker, with knowledge of a valid distinguished name (DN), could send a spoofed Certificate Authority (CA) certificate containing a specially-crafted payload to bypass authentication and gain unauthorized access to the system.
Consequences:
Bypass Security
Remedy:
For Openswan:
Upgrade to the latest version (1.0.6 or later and 2.1.4 or later), as listed in Openswan Advisory 2004-06-28. See References.
For strongSwan:
Upgrade to the latest version (2.1.3 or later), available from the strongSwan Web site. See References.
For Gentoo Linux containing the freeswan package:
Upgrade to the latest version of freeswan (1.99-r1 or later and 2.04-r1 or later), as listed in GLSA 200406-20. See References.
For Gentoo Linux containing the openswan package:
Upgrade to the latest version of openswan (1.0.6_rc1 or later and 2.1.4 or later), as listed in GLSA 200406-20. See References.
For Gentoo Linux containing the strongswan package:
Upgrade to the latest version of strongswan (2.1.3 or later), as listed in GLSA 200406-20. See References.
For Mandrake Linux:
Upgrade to the latest freeswan package, as listed below. MandrakeSoft Security Advisory MDKSA-2004:070 : freeswan for more information. See References.
Mandrake Linux 9.1: 1.99-3.1.91mdk or later
Mandrake Linux 9.2: 2.01-2.1.92mdk or later
Mandrake Linux Multi Network Firewall 8.2: 1.98b-2.2.M82mdk or later
Mandrake Linux Corporate Server 2.1: 1.98b-3.1.C21mdk or later
Mandrake Linux 10.0: 2.04-3.1.100mdk or later
Upgrade to the latest super-freeswan package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:070-1 : super-freeswan for more information. See References.
Mandrake Linux 10.0: 1.99.8-8.2.100mdk or later
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- GLSA 200406-20: FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling.
- Openswan Advisory 2004-06-28: Certificate chain authentication in Openswan pluto.
- strongSwan Web site: strongSwan - IPsec for Linux.
- BID-10611: FreeS/WAN X.509 Patch Certificate Verification Vulnerability
- CVE-2004-0590: FreeS/WAN 1.x and 2.x, and other related products including superfreeswan 1.x, openswan 1.x before 1.0.6, openswan 2.x before 2.1.4, and strongSwan before 2.1.3, allows remote attackers to authenticate using spoofed PKCS#7 certificates in which a self-signed certificate identifies an alternate Certificate Authority (CA) and spoofed issuer and subject.
- GLSA-200406-20: FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling
- MDKSA-2004:070: Updated freeswan and super-freeswan packages fix certificate chain authentication vulnerability
- MDKSA-2004:070-1: Updated freeswan and super-freeswan packages fix certificate chain authentication vulnerability
Platforms Affected:
- Gentoo Linux
- Linux FreeS/WAN FreeS/WAN 1.x
- Linux FreeS/WAN FreeS/WAN 2.x
- MandrakeSoft Mandrake Linux 10.0
- MandrakeSoft Mandrake Linux 10.0 AMD64
- MandrakeSoft Mandrake Linux 9.1
- MandrakeSoft Mandrake Linux 9.2
- MandrakeSoft Mandrake Linux 9.2 AMD64
- MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
- MandrakeSoft Mandrake Linux Corporate Server 2.1
- MandrakeSoft Mandrake Multi Network Firewall 8.2
- Open Source Openswan 1.x - 1.0.5
- Open Source Openswan 2.x - 2.1.1
- strongSwan strongSwan prior to 2.1.3
Reported:
Jun 25, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net