From 79b272949080bf5938df1c5affe7b4bc631a81b7 Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Mon, 30 Mar 2009 03:47:14 +0000 Subject: [PATCH] fixed DPD null state bug --- NEWS | 10 ++++++++++ src/pluto/ipsec_doi.c | 8 ++++---- src/pluto/vendor.c | 1 + src/pluto/vendor.h | 1 + 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index d30fcc32f..83308c772 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,16 @@ strongswan-4.2.14 relays EAP messages to and from a RADIUS server. Succesfully tested with with a freeradius server using EAP-MD5 and EAP-SIM. +- A vulnerability in the Dead Peer Detection (RFC 3706) code was found by + Gerd v. Egidy of Intra2net AG affecting + all Openswan and strongSwan releases. A malicious (or expired ISAKMP) + R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet can cause the + pluto IKE daemon to crash and restart. No authentication or encryption + is required to trigger this bug. One spoofed UDP packet can cause the + pluto IKE daemon to restart and be unresponsive for a few seconds while + restarting. This DPD null state vulnerability has been officially + registered as CVE-2009-0790 and is fixed by this release. + - ASN.1 to time_t conversion caused a time wrap-around for dates after Jan 18 03:14:07 UTC 2038 on 32-bit platforms. As a workaround such dates are set to the maximum representable diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index b59fe3c87..f22cdbd04 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -5446,9 +5446,9 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p time_t tm = now(); u_int32_t seqno; - if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state)) + if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state)) { - loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISKAMP SA"); + loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISAKMP SA"); return STF_IGNORE; } if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2) @@ -5516,10 +5516,10 @@ dpd_inR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs) { u_int32_t seqno; - if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state)) + if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state)) { loglog(RC_LOG_SERIOUS - , "DPD: Received R_U_THERE_ACK for unestablished ISKAMP SA"); + , "DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA"); return STF_FAIL; } diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c index f548779cf..3f682b2ba 100644 --- a/src/pluto/vendor.c +++ b/src/pluto/vendor.c @@ -242,6 +242,7 @@ static struct vid_struct _vid_tab[] = { DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1") DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0") + DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.9") DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8") DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7") DEC_MD5_VID(STRONGSWAN_2_8_6, "strongSwan 2.8.6") diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h index e61c098aa..70d1ad4d1 100644 --- a/src/pluto/vendor.h +++ b/src/pluto/vendor.h @@ -94,6 +94,7 @@ enum known_vendorid { VID_STRONGSWAN_2_8_6 = 72, VID_STRONGSWAN_2_8_7 = 73, VID_STRONGSWAN_2_8_8 = 74, + VID_STRONGSWAN_2_8_9 = 75, VID_STRONGSWAN_4_0_0 = 80, VID_STRONGSWAN_4_0_1 = 81,