Security Updates for strongSwan
The developers of strongSwan, the free IPsec implementation, have released new versions and patches to eliminate two denial of service vulnerabilities in the IKEv2 Charon, key exchange daemon. One vulnerability allows a malformed IKE_SA_INIT request to leave the Charon daemon in an incomplete state, which could lead to a crash if CREATE_CHILD_SA was received later. The other vulnerability could be triggered by a malformed IKE_AUTH request that was missing its traffic selector payload, which would also cause the IKEv2 Charon to crash.
In practice, these vulnerabilities could lead to deterioration in existing VPN connections and, if repeated, cause communications to come to a halt. The problem affects versions of strongSwan 4.1.0 to 4.3.0. Fixes are included in versions 4.2.15 and 4.3.1 which are available to download and patches have also been published.
See also:
- IKE_AUTH problem description
- patch for the IKE_AUTH issue
- IKE_SA_INIT problem description
- Patch for IKE_SA_INIT issue
(djwm)