ESB-2018.2864 - [UNIX/Linux][Debian] strongswan: Multiple vulnerabilities 2018-09-25

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2864
                        strongswan security update
                             25 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           strongswan
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data         -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-16152 CVE-2018-16151 

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4305

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running strongswan check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4305-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
September 24, 2018                    https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : strongswan
CVE ID         : CVE-2018-16151 CVE-2018-16152

Sze Yiu Chau and his team from Purdue University and The University of Iowa
found several issues in the gmp plugin for strongSwan, an IKE/IPsec suite.

Problems in the parsing and verification of RSA signatures could lead to a
Bleichenbacher-style low-exponent signature forgery in certificates and during
IKE authentication.

While the gmp plugin doesn't allow arbitrary data after the ASN.1 structure
(the original Bleichenbacher attack), the ASN.1 parser is not strict enough and
allows data in specific fields inside the ASN.1 structure.

Only installations using the gmp plugin are affected (on Debian OpenSSL plugin
has priority over GMP one for RSA operations), and only when using keys and
certificates (including ones from CAs) using keys with an exponent e = 3, which
is usually rare in practice.

CVE-2018-16151

    The OID parser in the ASN.1 code in gmp allows any number of random bytes
    after a valid OID.

CVE-2018-16152

    The algorithmIdentifier parser in the ASN.1 code in gmp doesn't enforce a
    NULL value for the optional parameter which is not used with any PKCS#1
    algorithm.

For the stable distribution (stretch), these problems have been fixed in
version 5.5.1-4+deb9u3.

We recommend that you upgrade your strongswan packages.

For the detailed security status of strongswan please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/strongswan

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAluo4U0ACgkQ3rYcyPpX
RFv1HQf9Fn8JyDrflvxIsTb0vkgyTPMn6d1QKsO58I00HNh+AWL3RvK1k7uFCHgr
C+pZDxbE5LdEypZ8hHdhxRH1hrnWlYCZjLrm8RojuPo7E6N9w9AnXdztSpqHR3G/
PFm/u4FC+l/Qh9imKZoUjGGItDOT5WGvKNeS+cZNIVmz1uoOwdJuEaDSBlv4pSeh
tDi3GtXdLjPzLk/sw0o732zpyPd9RCQqABryamK6dco4EI9BmFHwwhaepXV0pH7W
JEk7Cqow1XYUnPAZg1CqHE/vYdWu2SCEBetvAyhchTp+ZmG1icHy6zQA48pOQ7VP
8ezE8lP9+j/2ZGmORCsyyua5FYaLbA==
=4jkg
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW6mRV2aOgq3Tt24GAQg+/xAAp9Br4n4NrRlXyYEWNaQBfmlLHfHVzSlq
d0Um4t1PSTyifnAmmz1Qx3HtH1TeKnvHktl97av8mdrXNHxPsCJXIb514pC3XmtG
EPK3dJagFEKNqA1/gSTUw1XToTM1+k45yB42nqWyZGGzDrmVbXidVJBuZQJO7dXi
rT56pgSQZs4uCeOeOXSAQXFiTScr/pGumFIjskSFyuKT+S8ChCXnGLpmoT7M0El5
mBzaE8jNbQLmEMjMkqAD3layEYYexpcPxGaFptyhgnJnLZpWpd8B8jDw4pSyklKX
TdK+bTeFEbOJGSuHHs981duKidiYQidm7Tj4m+cCUg5V0iCe0vu9qewGOvVdwoLd
RhI3VydEZL6QhNSElGk34mA3H06kJr/a6ESmFFUf/fEyZSx1p4N+sXfBwwf5iJ8R
jZWVEh7u01lP6b5rMva2TARzDxtUOtdaupPIVzdbFXVDjDq17f9K0G5AQuPuKyQt
J6iAW+EUSQdnDCanilyl3CgDsq8zFxtSv7fpYbcq+DkcnHvY9oTNCHPS6AfN3JTR
zMDg5dFMiNC+6OIgBefCVOj9dwGz+Z5S+/qqLj6XrEuVwO9z0Gwy1kbwS58VeO/t
Lq0wvNOQH247Jn+fcZZr+Owbv3YVDiBy9vJfBY7InOPBYIhrfNSqrh1dJy2tUabW
1Mgl3gWNKW4=
=BJwc
-----END PGP SIGNATURE-----

« Back to bulletins