Fixed
Created: May 23, 2017
Updated: Dec 3, 2018
Resolved Date: Jun 19, 2017
Found In Version: 6.0.0.32
Fix Version: 6.0.0.34
Severity: Severe
Applicable for: Wind River Linux 6
Component/s: Networking
The customer found two vulnerabilities of strongswan in wrlinux6:
Hi
We find two new CVEs about strongSwan, here are the detail information, please have a review and fix it for both WRL4.3 and WRL6.0:
We recently started fuzzing some of our plugins using Google's OSS-Fuzz infrastructure [1]. This lead to the discovery of several bugs. Two of them may lead to denial-of-service attacks. One affects the gmp plugin, the other the ASN.1 parser in combination with the x509 plugin.
# Insufficient Input Validation in gmp Plugin
RSA public keys passed to the gmp plugin aren't validated sufficiently before attempting signature verification, so that invalid input might lead to a floating point exception. Affected are all strongSwan versions since 4.4.0 including the latest 5.5.2.
CVE-2017-9022 has been assigned for this vulnerability.
With strongSwan 4.4.0 the gmp plugin started to use mpz_powm_sec(), if available, for side-channel-free exponentiation. Compared to mpz_powm() this function has two additional requirements regarding the passed exponent and modulus: The exponent must be larger than zero and the modulus must be odd. If these requirements are not met the calculations performed by libgmp will result in a floating point exception that crashes the whole process. Until now the plugin simply replaced
mpz_powm() with mpz_powm_sec() without any additional input checks. So a certificate with an appropriately prepared public key sent by a peer could be used for a denial-of-service attack.
Remote code execution is not possible due to this issue.
# Incorrect Handling of CHOICE types in ASN.1 parser and x509 plugin
ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when parsing X.509 certificates with extensions that use such types. This could lead to infinite looping of the thread parsing a specifically crafted certificate. Affected are all strongSwan versions including the latest 5.5.2 (please note that patches for versions < 4.4.0 are not provided).
CVE-2017-9023 has been assigned for this vulnerability.
Several extensions in X.509 certificates use CHOICE types to allow exactly one of several possible sub-elements. An extension that's defined like this, which strongSwan always supported, is CRLDistributionPoints, where the optional distributionPoint is defined as follows:
DistributionPointName ::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
So it may either be a GeneralName or an RDN but not both and one of them must be present if there is a distributionPoint. So far the x509 plugin and ASN.1 parser treated the choices simply as optional elements inside of a loop, without enforcing that exactly one of them was parsed (or that any of them were matched). This lead to the issue that if none of the options were found the parser was stuck in an infinite loop. Other extensions that are affected are ipAddrBlocks (supported since 4.3.6) and CertificatePolicies (since 4.5.1).
A similar issue, for which no separate CVE is assigned, affects the nameConstraints extension (supported since 4.5.1), where the x509 plugin incorrectly defined a parsing rule with a loop, where there was none defined, so that invalid data could lead to an infinite loop.
Remote code execution is not possible due to these issues.
