[Openswan dev] Re: openswan potential DoS in sarge

Martin Schulze joey at infodrom.org
Wed Apr 26 12:54:24 CEST 2006 

Paul Wouters wrote:
> On Sun, 16 Apr 2006, Rene Mayrhofer wrote:
> 
> > [Since I'm CC'ing the list, this is about the pluto crash fixed with 2.4.0,
> > see http://lists.openswan.org/pipermail/dev/2005-April/000844.html for the
> > problem description.]
> 
> For the record, the crasher meantioned here is the one causing: ASSERTION FAILED at
> crypto.c:219: st->st_new_iv_len >= e->enc_blocksize

> > seem to suggest this. So it seems to be secure in the sense that only
> > authorized users can crash it. However, this is typically also seen as a DoS
> > (comparable to local privilege escalation bugs).
> 
> Yes. This one, and the ones frim the IPsec Proto testsuite (that caused us to
> release openswan 2.4.3 and 2.4.4) can only crash pluto in phase2, so some form
> of authentiction has already taken place.

> > > At a first glance this doesn't smell like a security problem (but that
> > > depends on the answers above). Intercompatibility between older and newer
> > > versions is certainly desirable, but OTOH roadwarriors are under control of
> > > the local admin as well and can be forced to run stable on their notebooks
> > > as well.
> > True, but assuming an adversary, it can be a DoS for large gateways with many
> > roadwarriors. The logs should reveal the culprit, but it's still denial of
> > service.
> 
> There are more bugs that should be applied to openswan-2.4.0. For instance the
> documented ones from the IPsec Proto testsuite that were released a while ago
> that caused the release of openswan 2.4.3 and 2.4.4.
> 
> > > Upgrading to 2.4.5 isn't an option in either case, it has the potential to
> > > introduce more regressions and incompatibilities for existing setups, that
> > > it would fix in this specific use case.
> 
> Openswan 2.4 is considered the "stable" tree. If you still think you want to
> cherry pick from those fixes, please look at the cvs mailinglist archive at
> http://lists.openswan.org/pipermail/cvs/ and see which commits you should apply.
> 
> A quick browse tells me:
> http://lists.openswan.org/pipermail/cvs/2005-November/005580.html

Umh, could you give me an idea of what is fixed by this?

> http://lists.openswan.org/pipermail/cvs/2005-November/005557.html

That's a denial of service problem.

However, since the pluto daemon is restarted immediately, there
is no denial of service anymore.

> http://lists.openswan.org/pipermail/cvs/2005-November/005594.html

What is fixed by this one?

> http://lists.openswan.org/pipermail/cvs/2005-November/005593.html

And by this one?

Regards,

	Joey

-- 
Experience is something you don't get until just after you need it.

Please always Cc to me when replying to me on the lists.

More information about the Dev mailing list