DoS vulnerabilities in Openswan and Strongswan removed
The developers of Openswan, the Linux IPSec implementation, have released new versions and patches to fix a denial of service vulnerability in the pluto IKE daemon. According to the report, the pluto daemon can crash and restart when receiving faulty Dead Peer Detection (DPD) packets, which, in practice, may lead to the deterioration of existing VPN connections. If the faulty DPD packets are repeatedly sent, then the connection may also be halted.
DPD messages are used to on VPN gateways to determine whether the other gateway is still reachable, and if not, delete the connection and enable a new connection.
The report says that the bug is triggered when one end of a VPN connection has expired an ISKAMP (Security association) state, but the other end is still using the old state to send DPD notifications. When the DPD message arrives, the lookup for the state causes a null pointer exception. The lookup takes place before any encryption or decryption, which means that a single, spoofed, UDP packet can provoke a crash.
The bug affects the current Openswan 2.6.20 and StrongSwan-4.2.13 and the "maintenance mode" versions OpenSwan 2.4.13 and StrongSwan 2.8.8 and earlier version of each branch. Also affected are the no longer supported Superfreeswan 1.9x, Openswan 1.x, 2.0.x-2.3.1 and 2.5.x versions. The issue is fixed in Openswan 2.6.21, StrongSwan-4.2.14, OpenSwan 2.4.14 and StrongSwan 2.8.9 which are available to download. The developers strongly encourage users to upgrade to these versions.
- Remote DoS Vulnerability in Openswan and Strongswan, Openswan advisory
- Changelog strongswan 4.2.14, change log for Strongswan