1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200406-20 / Openswan |
| Release Date | June 25, 2004 |
| Latest Revision | May 22, 2006: 02 |
| Impact | normal |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| net-misc/freeswan | < 2.04-r1 | >= 2.04-r1, = 1.99-r1 | All supported architectures |
| net-misc/openswan | < 2.1.4 | >= 2.1.4, = 1.0.6_rc1 | All supported architectures |
| net-misc/strongswan | < 2.1.3 | >= 2.1.3 | All supported architectures |
| net-misc/super-freeswan | <= 1.99.7.3 | All supported architectures |
Related bugreports: No related gentoo bugreports
FreeS/WAN, Openswan, strongSwan and Super-FreeS/WAN contain two bugs when authenticating PKCS#7 certificates. This could allow an attacker to authenticate with a fake certificate.
FreeS/WAN, Openswan, strongSwan and Super-FreeS/WAN are Open Source implementations of IPsec for the Linux operating system. They are all based on the discontinued FreeS/WAN project.
All these IPsec implementations have several bugs in the verify_x509cert() function, which performs certificate validation, that make them vulnerable to malicious PKCS#7 wrapped objects.
With a carefully crafted certificate payload an attacker can successfully authenticate against FreeS/WAN, Openswan, strongSwan or Super-FreeS/WAN, or make the daemon go into an endless loop.
There is no known workaround at this time. All users are encouraged to upgrade to the latest available version.
All FreeS/WAN 1.9x users should upgrade to the latest stable version:
Code Listing 3.1: Resolution |
# emerge sync # emerge -pv "=net-misc/freeswan-1.99-r1" # emerge "=net-misc/freeswan-1.99-r1" |
All FreeS/WAN 2.x users should upgrade to the latest stable version:
Code Listing 3.2: Resolution |
# emerge sync # emerge -pv ">=net-misc/freeswan-2.04-r1" # emerge ">=net-misc/freeswan-2.04-r1" |
All Openswan 1.x users should upgrade to the latest stable version:
Code Listing 3.3: Resolution |
# emerge sync # emerge -pv "=net-misc/openswan-1.0.6_rc1" # emerge "=net-misc/openswan-1.0.6_rc1" |
All Openswan 2.x users should upgrade to the latest stable version:
Code Listing 3.4: Resolution |
# emerge sync # emerge -pv ">=net-misc/openswan-2.1.4" # emerge ">=net-misc/openswan-2.1.4" |
All strongSwan users should upgrade to the latest stable version:
Code Listing 3.5: Resolution |
# emerge sync # emerge -pv ">=net-misc/strongswan-2.1.3" # emerge ">=net-misc/strongswan-2.1.3" |
All Super-FreeS/WAN users should migrate to the latest stable version of Openswan. Note that Portage will force a move for Super-FreeS/WAN users to Openswan.
Code Listing 3.6: Resolution |
# emerge sync # emerge -pv "=net-misc/openswan-1.0.6_rc1" # emerge "=net-misc/openswan-1.0.6_rc1" |