Improper Authentication in strongSwan - CVE-2013-2944
Published: May 2, 2013 / Updated: August 11, 2020
Vulnerability identifier: #VU42852
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2013-2944
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: strongswan.org
Affected software:
strongSwan
strongSwan
Detailed vulnerability description
The vulnerability allows a remote #AU# to read and manipulate data.
strongSwan 4.3.5 through 5.0.3, when using the OpenSSL plugin for ECDSA signature verification, allows remote attackers to authenticate as other users via an invalid signature.
How to mitigate CVE-2013-2944
Install update from vendor's website.
Sources
- http://download.strongswan.org/patches/10_openssl_ecdsa_signature_patch/strongswan-4.3.5-5.0.3_openssl_ecdsa_signature.patch
- http://lists.opensuse.org/opensuse-updates/2013-05/msg00014.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00010.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00121.html
- http://www.debian.org/security/2013/dsa-2665
- http://www.securityfocus.com/bid/59580
- http://www.strongswan.org/blog/2013/04/30/strongswan-5.0.4-released-(cve-2013-2944).html